Follow me on Twitter for my latest adventures!
I recently added a neat security feature to Browserling. The feature is very simple - if someone tries to login into Browserling unsuccessfully, they have to wait a little bit until they can login again. This feature prevents automated password guessing.
Here's how the implementation looks like:
You've to wait
2n seconds between logins if you fail logging in
n consecutive times.
The implementation of this security feature is just 20 lines long. Anyone can implement it in 15 minutes. The basic logic is the following - if a login is unsuccessful, then increase the unsuccessful-logins counter (
n) for the user by one. If the login is unsuccessful again, figure out the time delta (
delta) between the two logins in seconds and compare it to
2n. If the time delta is less than
2n, then make the user wait
2n - delta seconds. Otherwise reset the counter and log the user in.
A downside to this feature is that someone can lock someone else out of their account by trying to login too many times unsuccessfully. But in my opinion there is no reason why your web application shouldn't have this. You don't want your users' passwords to be hacked.
Until next time!