-1

I have read here and here that tracking the failed login attempts should be done on the user.

"If anyone tries to log in with the username/email somone@example.com X wrong times. I block somone@example.com"

Why shouldn't I do this based on IP ? as anyone can block my users by knowing only their usernames/emails. Why shouldn't I do it like :

"If this IP tries to log in with any username/email X wrong times. I block this IP" ?

Accountant م
  • 4,969
  • 2
  • 30
  • 49
  • IP can be spoofed. Some workplaces, schools etc, you also might have many many people coming from the same public IP. – ficuscr May 08 '18 at 22:34
  • IP != user, 1 person many IP's. one IP many people –  May 08 '18 at 22:34
  • 1
    There are thousands of users who could log in from the same Microsoft.com IP address. Do you ban all MS employees from your site because one may have done something wrong? – Ken White May 08 '18 at 22:35
  • @ficuscr So, how to protect my users from getting blocked if someone knows their username ? – Accountant م May 08 '18 at 22:36
  • imo with security, fraud prevention etc, the more layers and combinations of approaches the better. 80/20. There are a number of ways to prevent brute force attacks. CAPTCHA after x failures, force strong password. Don't bother with locking accounts. – ficuscr May 08 '18 at 22:36
  • 1
    Blocking IP makes sense e.g. for malicious webbots coming repeatedly from the same IP. Users may login each day from different computer, meaning also different IP. – lubosdz May 08 '18 at 22:38
  • i run a few sites, i dont block based on ip or failed attempt. its certainly not compulsory - and as you see has some huge issues –  May 08 '18 at 22:39
  • ^ agreed, are you making your users safer or just inconveniencing them (false positive of valid user failing to recall password) and creating a support nightmare? – ficuscr May 08 '18 at 22:41
  • I voted to close, this is opinion based. with a *incorrect* underlying assumption that you even have to block any one for any reason. –  May 08 '18 at 22:48
  • @smith *"with a incorrect underlying assumption that you even have to block any one for any reason"* do you mean I shouldn't block a user when there is too many failed login attempts ? – Accountant م May 08 '18 at 23:04
  • yes, that's exactly what i mean. –  May 08 '18 at 23:11

2 Answers2

1

A good example is https://en.wikipedia.org/wiki/Wikipedia:AOL#Why_are_AOL_users_often_blocked?

IPs don't identify a single person. ISPs, large corporations, public spots like libraries, etc will often use some kind of enforced proxy, NAT, or transparent caching host for outgoing connections. This makes all the users from that network share a single IP.

Blocking the IP because of one person can block the whole group.

viraptor
  • 30,857
  • 7
  • 96
  • 176
  • Thank you very much, but doen't this make it very easy for an attacker to repeatedly block my users if he knows their username ? – Accountant م May 08 '18 at 22:39
  • 1
    Yes. That's why locking out in general is a bad idea. There are better solutions, like giving your users the 2FA options, so even bruteforcing the password doesn't give the access. Optionally you could block a (username,ip) pair for a short time (minutes) or adding some client-side work factor to slow down the attacker. – viraptor May 08 '18 at 23:41
0

Ips are generally dynamically assigned, so blocking a black hat one day maybe blocking a white hat the next

TheOrganist24
  • 89
  • 7