Agreed
Further to that, I would also suggest that you block or slow down the IP address, after a certain number of failed login attempts from the same address, as otherwise, a cracker could try the same password with a long list of Different usernames, in order to try to break in that way.
If I where you, I would impose a 1 second delay between login attempts for the same username or from the same IP address block, and after 3 failed attempts, I would double the delay for each subsequent failed attempt up to a maximum of around 5 minutes.
I don't think there is anything to be gained from using AJAX or suchlike to check usernames & passwords in real-time. As roboticus said, that would just make cracker's job easier, and also give them a way to overload your server and inflict a denial of service attack. A simple form submit with both a username and password on it should be sufficient.
One thing you might consider, is to use JavaScript on the client to hash the user supplied password with a random salt string supplied by the server, so that if the password submission form is intercepted over an insecure WiFi or suchlike, a cracker will not be able to re-use it later.
In reply to Re^2: real time server side validation
by chrestomanci
in thread real time server side validation
by yakoval
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |