{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 太酷不给撩 的问题《increasing time delay for login to stop bruteforci》','https://www.manongdao.com/q-479000.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have set up my db to log every failed login attempt. I thought I would multiply the number of failed attempts with 0.05 seconds or something. Something like:
time_nanosleep(0, (50000000 * $failed_attempts ) );
More attempts a hacker uses to guess a password, more time does it take to check every time. After checking a 100 passords he must wait 5 sec between each try.
Is this a good way to stop bruteforcing? I identify the users by IP. So I guess you can bruteforce the application by using multiple proxy servers or something, but besides that, I think is a good idea. What do you guys think?
Limit retries by IP and use a CAPTCHA. Don't overload your server, think KISS.
Bots do not really care about your delay, whether it is exponential or logarithmic or anything. Any delay you use can be overcome by polling. So, do not think delay. Think about limiting the number of attempts and use Google reCAPTCHA. It uses public-private key encryption. Works for eliminating most bots and is harder to crack.