<br><br><div><span class="gmail_quote"><br></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">I'm looking for ideas on how to implement a way to detect and block
<br>dictionary attacks. This is not a question of how to implement strong<br>passwords, but rather the act of limiting logins when too many failed<br>passwords have been attempted in some period of time.<br></blockquote>
</div><br>I was just wondering why can't the form fields for username and password be changed after every x attempts. And the post data checked for the new fields.<br><br>1. This way unless the bot waits for the complete form returned after every attempt it will send post data with the required fields being null. And if it does wait for the complete form returned after every attempt , it is made slow considerably.
<br><br>2.And after a threshold level , the username and password field can both be made of the type password and the label sent as image. this way withth enew form the bot doesnt know which is the username field and which is the password .
<br><br>This only works for 1 username many password atacks or 1 ip attacks.<br><br><br><br>Another method i was curious about was to generate the form with x number of extra username and password fields whose display style is set as
none.The bot might just pick the first pair of username and password field.This also gives us knowledge of a bot being used as post values from these fields will always be null unless it is being sent by a bot.<br><br><br>
Antano Solar John<br>