I have set up my db to log every failed login attempt. I thought I would multiply the number of failed attempts with 0.05 seconds or something. Something like:
time_nanosleep(0, (50000000 * $failed_attempts ) );
More attempts a hacker uses to guess a password, more time does it take to check every time. After checking a 100 passords he must wait 5 sec between each try.
Is this a good way to stop bruteforcing? I identify the users by IP. So I guess you can bruteforce the application by using multiple proxy servers or something, but besides that, I think is a good idea. What do you guys think?
What about something like:
time_nanosleep(0, (10000000000 * (log($failed_attempts)^10)) );
This will give you an exponentially increasing attempt window.
The first issue I see is that you are dealing with a bot that doesn't care if there is a delay between responses. Unless you do something to limit this you are using up system resources with potentially very long delays. Just ban the IP after 5 failed attempts. It can be a temporary ban if you are worried about banning a real user.
Limit retries by IP and use a CAPTCHA. Don't overload your server, think KISS.
You should try not to use Sleep() because it uses cpu cycles, and if you have a brute force attack from 10,000 ip addresses you will fork 10,000 sleep() child process or threads, this will cause load on your server.
Instead try to block the IP address using PHP. Something like this.
function block_ip($ip) {
$deny = array("$ip");
if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
header("HTTP/1.1 403 Forbidden");
exit();
}
}
It shouldn't be your entire strategy against bruteforcing, but it's an excellent component for that strategy and IMO should pretty much always be used.
You might want to increase that time exponentially instead of just linearly; or make it fixed, e.g. deny for an hour after 5 failed attempts.
I know I've seen this done somewhere, though I forget where. The example I saw, they doubled the time delay with each failed attempt. If you started with, say, .1 seconds, a normal user who might mistype his password once or twice gets up to a delay of .4 seconds. They won't even notice. But somebody who tries a brute force attack his quickly going to get delays in the minutes or hours.
I guess for a web app there might be an issue of launching a denial-of-service attack on yourself. It all depends on how the system handles the time delays.
Bots do not really care about your delay, whether it is exponential or logarithmic or anything. Any delay you use can be overcome by polling. So, do not think delay. Think about limiting the number of attempts and use Google reCAPTCHA. It uses public-private key encryption. Works for eliminating most bots and is harder to crack.