Response Time
24 — 48 hours
I'm proposing at some point in time Brute Force Protection. Show your support for it on Voices. For those who are not familiar with Brute Force, basically it means someone can attempt to login to an account an unlimited number of times in a short period. I just tested/confirmed this on my EasySocial site over and over in a short period of time. Even with a .htaccess protector placed on the administrator panel, user's login information is still potentially steal-able as a result (I don't need to go into details of why this can be a serious nightmare even with the ES site itself being "secure"). All someone has to do is get a bot to access an account several thousand times in a short amount of time and crack the password of your account. This is more than just fear of account hijacking on the site. For computer savvy people it's really easy for them which makes this a very important issue.
How to Prevent Brute Force:
We would need to create a new SQL table, perhaps something called _social_login_attempts. The table would store the login attempts and associate them with the account with the failed login. A time stamp is needed as well for time tracking. Ideally it could store the IP address from the failed login as well which gives us more options of how to handle the suspicious user.
If the number of login attempts exceeds 8-10 within a 15 minute span, we could either temporarily block the person from being able to login for a while (via IP) or we could have the account lock for a while. The problem with the latter is that a malicious user could continuously lock someone out which is why I like the IP version better. Some sites do 2-5 login attempts, however this is too harsh in my honest opinion. We want as few people inconvenienced as possible while preventing both bots and obsessive humans from getting into other people's accounts.
I hope this is considered due to the importance of security with social networks.
How to Prevent Brute Force:
We would need to create a new SQL table, perhaps something called _social_login_attempts. The table would store the login attempts and associate them with the account with the failed login. A time stamp is needed as well for time tracking. Ideally it could store the IP address from the failed login as well which gives us more options of how to handle the suspicious user.
If the number of login attempts exceeds 8-10 within a 15 minute span, we could either temporarily block the person from being able to login for a while (via IP) or we could have the account lock for a while. The problem with the latter is that a malicious user could continuously lock someone out which is why I like the IP version better. Some sites do 2-5 login attempts, however this is too harsh in my honest opinion. We want as few people inconvenienced as possible while preventing both bots and obsessive humans from getting into other people's accounts.
I hope this is considered due to the importance of security with social networks.
1 Replies
The replies under this section are restricted to logged in users or users with an active subscription with us
