[eluser]Adam Griffiths[/eluser]
[quote author="Skinnpenal" date="1242577167"][quote author="Adam Griffiths" date="1242534273"]
In regards to limiting the number of login attempts to 5. A brute force attack is usually an automated process. Therefore a script running from an external resource would not be able to edit the cookie unless a macro was used along with a cookie editor to reset the attempts to 0. The whole point of having the maximum login attempts is to prevent a brute force attack.[/quote]
Thanks for the reply
What I mean is that I get the feeling that the automated tools has some countermeasures to this type of "security". If I were to build an automated tool, and knowing many login systems limit attempts with cookies, I'd make it clear the cookie after each failed attempt.
Could logging the attempts into a db table be a strengthening? I don't know how that could be done well, though. IP-only could block out a huge institution, school, etc. And combining it with user agents it pointless since it could be randomized from the automated tool (?). Well, I don't know.. like I said, just curious
[/quote]
If I took into account everything that
could happen, The Authentication Library would become bloated against every single possible security caveat. I have seen many brute forcing tools and none of them have been able to clear a cookie. Of course it's still totally possible but less likely. I'm sure there will be a way to make this more secure without increasing overhead, and when I find it be sure that I'll include it in The Authentication Library.