Account lockouts in app to protect from brute force cracking


#1

Anyone have a solution for locking out their user accounts if there are to many attempts with the wrong password? I have tried easy-security, but it was buggy when I had more than one tab open with the same user logged in. Oh, and I really don’t need anything terribly fancy. I’m looking for a good way to lockout an account, let the user know they are locked out (after 3 bad attempts) and then reset at x minutes so the user can try again.

Luca of meteor-useraccounts commented on this on github as well. His solution works, but it doesn’t let the user know their account is locked out until they use the correct password, which isn’t an expected behavior. Also, as far as I can tell there is no automatic reseting of the lock.

Here is what he has in his post, maybe someone could suggest an edit to accomplish the above.

Accounts.validateLoginAttempt(function(attempt){
    if (attempt.error){
        var reason = attempt.error.reason;
        if (reason === "User not found" || reason === "Incorrect password")
            throw new Meteor.Error(403, "Login forbidden");
    }
    return attempt.allowed;
});

Accounts.validateLoginAttempt(function(attempt){
    if (!attempt.allowed)
        return false;
    // Possibly denies the access...
    if (attempt.user && attempt.user.failedLogins >= 2) // CHANGE ME!
        throw new Meteor.Error(403, "Account locked!");
    return true;
});

Accounts.onLogin(function(attempt){
    // Resets the number of failed login attempts
    Meteor.users.update(attempt.user._id, {$set: {failedLogins: 0}});
});

Accounts.onLoginFailure(function(attempt){
    if (attempt.user && attempt.error.reason === "Login forbidden") {
        // Increments the number of failed login attempts
        Meteor.users.update(attempt.user._id, {$inc: {failedLogins: 1}});
    }
});

#2

validateLoginAttempt callback provides you with an object that contains the user object within attempt.user so you could use that information to set/get failed attempt information for the specific user and inform the user either on screen or by email.


#3

Maybe sikka should have this implemented


#4

Yea, that was my initial thought. I’ll check the github issues there and see what they think of this.


#5

Thanks, guess I’ll have to use this. I wonder if there are any open source project that have already addressed this. I’m going to see if telescope does.