Login Lockout

Sayian

I am trying to think of a secure way to do the following.

After 3 invalid login attempts, block that IP Address from logging in to the account.
.. but at the same time not allowing abuse (someone submitting wrong passwords to lock you out of your own account) ..

Basically i need some ideas of how i could go about creating a system to stop users from cracking passwords to accounts on my website.

Current setup:
Login form .. Username/pass .. checks mysql for username passcombo, if mysql_num_rows are returned .. user is valid.

bpat1434

How about adding a column ("lock") and use a binary True/False (1/0) to allow them to log-in. Then, just check the form username, with that in the database and if the use has a "1" in the lock column, then they can't log in.

Also, add a function to send an email to the registered user that says their account has been locked because of 3 invalid login attempts. Then, link them to a hidden page that allows them to "re-register" with all their info. Check that against what's in the database, and unlock/re-password it, or log the IP and ban.

That's just my 2 cents.

~Brett

harmor

If you're blocking the ip address from the "hacker" if he fails after three attempts the real user can still login because his/her ip address isn't blocked