Login bruteforce protection

Question

Login bruteforce protection

John Galt Dec '17

Created Dec '17	Last Reply Dec '17	Replies 5	Views 431	Votes 1

John Galt 13.8k

Dec '17

Hello, guys!

I know that maybe this question can be a bit off-topic with Phalcon itself. But using this awesome framework, which is the best way to achieve this?

I really don't want to store the user's IP in a table a the "tries".

is the CAPTCHA the best solution for this situation?

Thanks!

1

Michele Angioni
2.0k

Accepted
answer

in reply to

John Galt

Dec '17

Thanks, happy you find it usefull :)

Bravo! seems good, I will take a look on it, thanks for sharing!

Google Capcha2 is a very good solution, but a rate limiter is often useful too. Take a look at Phalcon Throttler :)

I would say that, if you just want to protect the login endpoint, than the Capcha is enough. Its perfect to protect from bots and automatic scripts. Instead, if you want to protect more private routes and/or limit the access to them, the Rate Limiter is the way to go.

I don't know how to proceed in this case, this post has more than one "Answer".

Izo · Answer 1 · 2017-12-20T01:09:49-07:00

i use google re-capcha2 there is something like hidden repacha now, you can chevck them, its quite easy to implement

Wojciech Ślawski · Answer 2 · 2017-12-20T01:12:45-07:00

Well captcha is best, but if you want to avoid it you can use mcrypt with high enough cost, but this way you can have easy ddos in your site.

Michele Angioni · Answer 3 · 2017-12-20T02:00:53-07:00

Google Capcha2 is a very good solution, but a rate limiter is often useful too. Take a look at Phalcon Throttler :)

John Galt · Answer 4 · 2017-12-20T09:37:42-07:00

Bravo! seems good, I will take a look on it, thanks for sharing!

Google Capcha2 is a very good solution, but a rate limiter is often useful too. Take a look at Phalcon Throttler :)

John Galt · Answer 5 · 2017-12-20T09:38:32-07:00

John Galt
13.8k

Dec '17

I don't know how to proceed in this case, this post has more than one "Answer".

Dylan Anderson · Answer 6 · 2017-12-21T08:51:09-07:00

I don't know how to proceed in this case, this post has more than one "Answer".

Thanks for being conscientious enough to care. My philosophy is to accept the answer that you decided to go with. If multiple strategies, pick the first one that mentioned that strategy.

John Galt · Answer 7 · 2017-12-21T09:03:59-07:00

I accept this answer, I will go for reCaptcha, then maybe consider to use Phalcon Throttler. Thanks!

Thanks, happy you find it usefull :)

Bravo! seems good, I will take a look on it, thanks for sharing!

Google Capcha2 is a very good solution, but a rate limiter is often useful too. Take a look at Phalcon Throttler :)

I would say that, if you just want to protect the login endpoint, than the Capcha is enough. Its perfect to protect from bots and automatic scripts. Instead, if you want to protect more private routes and/or limit the access to them, the Rate Limiter is the way to go.

I don't know how to proceed in this case, this post has more than one "Answer".