Brute force protect your website

On a website with the ability for users to logon, it is a good idea to have some sort of password policy. The most widely used contains minimum requirements for the length of the password and that the individual characters must be a mixture of numbers, letters and special characters. This is pretty much standard and they make it much more difficult to break into your system.

Eventually, these passwords will be broken and for a brute force robot it’s only a matter of time. That’s why it is a good idea to protect against brute force attacks by limiting the number of retries you can take to login if you forget the right password.

I’ve written a few methods that limits the number of retries to 5. When the fifth bad attempt to logon is reached, you are unable to login to the user account for five minutes. No other users are affected, only the one that is being brute forced.

The Code

private int NumberOfLogonAttemps()

{

  if (Cache[txtUserName.Text] == null)

    return 0;

 

  return (int)Cache[txtUserName.Text];

}

 

private void ClearLogonCounter()

{

  if (Cache[txtUserName.Text] != null)

  {

    Cache.Remove(txtUserName.Text);

  }

}

 

private void CountLogonAttempt()

{

  if (Cache[txtUserName.Text] == null)

  {

    Cache.Insert(txtUserName.Text, 1, null, Cache.NoAbsoluteExpiration, TimeSpan.FromMinutes(5));

  }

  else

  {

    int tries = (int)Cache[txtUserName.Text];

    Cache[txtUserName.Text] = tries + 1;

  }
}

Example of use

To use these three methods you have to call them from the logon buttons click event handler.

protected void BtnLoginClick(object sender, EventArgs e)

{

  CountLogonAttempt();

  if (NumberOfLogonAttemps() > 5)

  {

    Status.InnerHtml = "User has been locked for 5 minutes";

  }

  else

  {

    ClearLogonCounter();

    LogOn();

  }
}

This is very simple to implement and should it become an issue to logon for the users, you can raise the threshold to 10 retries.