R – Best practice against password-list-attacks with webapplications


i'd like to prevent bots from hacking weak password-protected accounts. (e.g. this happend to ebay and other big sites)

So i'll set a (mem-) cached value with the ip, amount of tries and timestamp of last try (memcache-fall-out).

But what about bots trying to open any account with just one password. For example, the bot tries all 500.000 Useraccounts with the password "password123". Maybe 10 will open.

So my attempt was to just cache the ip with tries and set max-tries to ~50. The i would delete it after a successful login. So the good-bot would just login with a valid account every 49 tries to reset the lock.

Is there any way to do it right?
What do big platforms do about this?
What can i do to prevent idiots from blocking all users on a proxy with retrying 50 times?

If there is no best practice – does this mean any platform is brute-forceable? At least with a hint on when counters are resetted?

Best Solution

I think you can mix your solution with captchas:

  1. Count the number of tries per IP
  2. In case there are too many tries from a given IP address within a given time, add a captcha to your login form.
Related Question