Lock user account after 3 login attempts 1

[sanctified]

Hi Group,
The following code was written by someone else and I would like to amend so that the users account is locked after 3 unsuccessful attempts to log in. How can I amend this code? I have created a field called locked on the users table and will set it to 1 to lock the account out.

I'm new to ASP.NET and don't really understand the TRY section. I presume I would need to loop round this incrementing a counter for every unsuccessful attempt. On the 3rd attempt, bomb out ...

Dim blnValidConnection As Boolean
Dim drUserData As SqlDataReader
Dim strCommand As String
Dim strConnect As String

blnValidConnection = True
lblLoginFailed.Text = ""

strConnect = "Data Source=" & strDataSource & ";Initial Catalog=" & _
strDatabase & ";User Id=" & strDatabase & "_" & _
txtUserID.Text & ";Password=" & txtPassword.Text & ";"
strCommand = "SELECT UserID, FirstName, Surname, AccessLevel " & _
"FROM Users " & _
"WHERE NTLogin = '" & txtUserID.Text & "' AND Archived = 'N'"
connDBConnect.ConnectionString = strConnect
cmdDBCommand.Connection = connDBConnect
cmdDBCommand.CommandText = strCommand

Try
cmdDBCommand.Connection.Open()
Catch exc As Exception
blnValidConnection = False
lblLoginFailed.Text = "User ID not recognized"


End Try

If blnValidConnection Then
Try
drUserData = cmdDBCommand.ExecuteReader
drUserData.Read()
Session("AccessLevel") = drUserData("AccessLevel")
Session("ConnectionString") = strConnect
Session("Database") = strDatabase
Session("NTLogin") = UCase(txtUserID.Text)
Session("UserID") = drUserData("UserID")
Session("UserName") = drUserData("FirstName") & " " & drUserData("Surname")
Session("FirstName") = drUserData("FirstName")
Session("Surname") = drUserData("Surname")

Session("intloginstatus") = 1

drUserData.Close()

cmdDBCommand.CommandText = "pbay_CheckPasswordExpiry"
cmdDBCommand.CommandType = CommandType.StoredProcedure
cmdDBCommand.Parameters.Clear()
cmdDBCommand.Parameters.Add("@pUserID", Session("UserID"))
cmdDBCommand.Parameters.Add("RETURN_VALUE", SqlDbType.Int)
cmdDBCommand.Parameters("RETURN_VALUE").Direction = ParameterDirection.ReturnValue
cmdDBCommand.ExecuteNonQuery()

Session("DaysToExpiry") = cmdDBCommand.Parameters("RETURN_VALUE").Value()
cmdDBCommand.Connection.Close()



Response.Redirect("Parkmain.aspx")

Catch Exc As Exception
lblLoginFailed.Text = "User ID/Password not recognized"

End Try
End If

End Sub

 

[adamroof]

this is c#, but its what i came up with to accomplish that... my TODO is to ban ip, not just email me that its happening

    public void ProcessLogin(object sender, EventArgs e)
    {
        bool passwordVerified = ef.VerifyPassword(txtUserName.Text, txtPassword.Text);
        if (passwordVerified == true)
        {
            FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, true);
        }
        else
        {
            SetFocus(txtPassword);
            pwAttempts.Visible = true;
            string loginAtt = loginAttempts().ToString();
            if (loginAtt == "3")
            {
                email.sendEmail("websupport@lockmeout.com", "Login Audit",
                        ConfigurationSettings.AppSettings["supportEmail"].ToString(),
                        "3 Failed Login Attempts Occurred",
                        "<font style='font-family:Arial; font-size: 9pt;'>User: " + txtUserName.Text
                        + "<br>IP: " + Request.ServerVariables["REMOTE_HOST"].ToString()
                        + "<br>Date: " + DateTime.Now.ToString()
                        + "</font>");
            }
            lblLoginAttempts.Text = loginAtt + " Failed Attempts";
            alert.jsAlert(lblJSMsg, "Invalid username or password");
        }
    }

    public int loginAttempts()
    {
        if (!(ViewState["loginAttempts"] == null))
        {
            ViewState["loginAttempts"] = Convert.ToInt32(ViewState["loginAttempts"].ToString()) + 1;
            return Convert.ToInt32(ViewState["loginAttempts"].ToString());
        }
        else
        {
            ViewState["loginAttempts"] = 1;
            return 1;
        }
    }

 

[sanctified]

Thanks adamroof worked like a charm!!

 

[ca8msm]

If the user is getting an incorrect login attempt, I think it should be written to the database rather than the ViewState as it's much more secure. Otherwise, I can simply close the page after my 3 invalid attempts and keep trying. Whilst this may not be a problem if I am a legitimate user, what happens if I'm trying to guess your password and hack into you account?


____________________________________________________________

Need help finding an answer?

Try the Search Facility or read FAQ222-2244 on how to get better results.

 

[adamroof]

my TODO is to ban ip, not just email me that its happening

 

[ca8msm]

Banning the IP won't necessarily help though. I'm looking at it from a security point of view (i.e. hacking into someones account) and banning my IP is the simplest of hurdles to get over.

The reason I suggested updating the database is so that after 3 invalid attempts, the account is locked. You can then decide on a mechanism for releasing this lock (i.e a timeframe, manual assessment etc).


____________________________________________________________

Need help finding an answer?

Try the Search Facility or read FAQ222-2244 on how to get better results.

 

[adamroof]

I have created a field called locked on the users table and will set it to 1 to lock the account out.

im sure he has that in mind, and a more complete process than to just email someone, extending the provided sample beyond its simplistic approach. if a hacker wants to open and close the site after every 2nd attempt... more power to him!

Im sure there is better ways than the viewstate, but what about incorrect usernames? which account do you lockout? slap a cookie on the hacker too, ip ban, block everyone with the same screen resolution (lol), possibilities are endless, depending on your level of security interests, its a can of worms, responded by a can of whoop *%$

 

[ca8msm]

I have created a field called locked on the users table and will set it to 1 to lock the account out.

That's great and what I was I was suggesting. My respose however was to the user's post that said the ViewState method "worked a charm" as if that was implemented on it's own has potential security flaws as it is easily circumvented.

if a hacker wants to open and close the site after every 2nd attempt... more power to him!

It wouldn't be manual though - most security attacks will be an automated script and the hacker only has to find out once that resetting the session will allow them more attacks. Then, it's built into the script and brute force methods are applied.

what about incorrect usernames? which account do you lockout?

You don't need to lock any account. As the username is incorrect, it doesn't matter how many tries the hacker attempts to use this username, it will never log them onto the system.

slap a cookie on the hacker too, ip ban, block everyone with the same screen resolution (lol), possibilities are endless, depending on your level of security interests, its a can of worms, responded by a can of whoop *%$

Oh, I completely agree. There are many more security methods that we could go into, and attempt to implement, but it's all about scope and what you need to protect. However, as this thread was directly looking at invalid attempts, I think it's only right to point out vulnerabilities with solutions that have been offered and show what can be done to increase that security.



____________________________________________________________

Need help finding an answer?

Try the Search Facility or read FAQ222-2244 on how to get better results.

 

[adamroof]

round 4

I think it's only right to point out vulnerabilities with solutions that have been offered

Can we see your solution wrapped in code tags instead of quote tags?

You don't need to lock any account. As the username is incorrect, it doesn't matter how many tries the hacker attempts to use this username...

No way. Use whatever means you have at your disposal to get this person out of your system, and the sooner you know attempts are being made to guess a username, the quicker you can respond.

And in a positive outlook, the sooner you can assist the user thats attempting to logon, use the correct credentials.

 

[ca8msm]

round 4

I'm not sure what you mean by this? Don't feel like you have to "fight" with someone just because they point out a potential problem with a solution you post. Take it as something to learn from and an opportunity to make your solution better.

Can we see your solution wrapped in code tags instead of quote tags?

My "solution" was simply how to improve on the invalid attempts part of the problem. I said "I think it should be written to the database rather than the ViewState" - do you really need to see a code sample of how to write to the database and update the invalid attempts field for a user record? I can provide one if necessary but I don't think it's needed in this case.

No way. Use whatever means you have at your disposal to get this person out of your system, and the sooner you know attempts are being made to guess a username, the quicker you can respond.

Again, I agree that it's beneficial to use any methods we can to detect hackers. However, you asked a question about which username we should update - I directed my response to that question. Had you asked what patterns to look for with incorrect logins, my response would have been tailored differently.

I'm really not trying to argue with you although you seem to have taken it that way, so apologies if you've misunderstood what I was trying to say.





____________________________________________________________

Need help finding an answer?

Try the Search Facility or read FAQ222-2244 on how to get better results.

 

[adamroof]

Math.Round(5) - lol

no ruffled feathers here... bock bock!
you still quoted tho...grrrrr