CODEWITHSUNDEEP
c#asp.netasp.net-mvc
Andrew Savinykh
Andrew Savinykh

Reputation: 26300

How to impelment password check delay in an ASP.NET MVC application?

I want all the login attempts to my web application to take no less than 1 second, to make brute force attack less feasible. If I just put something like this in my code:

Thread.Sleep(1000)

I expect that I become susceptible to a very simple ddos attack: just launch several dozen login requests to the site, and thread pool starvation will happen. (I don't believe that Thread.Sleep returns thread to the thread pool, does it?)

What is the correct way to implement this feature?

Upvotes: 6

Views: 2112

Answers (2)

dreadwail
dreadwail

Reputation: 15410

What you could do instead of sleeping the thread (you're right to be concerned about starvation) is to have a sliding window based upon unsuccessful login attempts for a given username. You could store this in the in-memory cache and ignore login attempts for that username if the sliding window has not yet elapsed.

There's a decent blog post on one possible implementation of this here:

Brute Force Protect Your Website

Upvotes: 5

Jon Skeet
Jon Skeet

Reputation: 1502196

If you want to make brute force attacks less feasible, why don't you implement a lock-out (force a password reset) after (say) 3 incorrect login attempts to the same account with no intervening correct login?

If you need DDOS protection, I would handle that separately - quite possibly with something before the traffic gets to your web server to start with. It really depends on whether you'

I don't know whether there's a simple way of delaying a response asynchronously in ASP.NET at the moment. I'm expecting that with the async stuff coming in C# 5 and .NET 5, you'll be able to return a Task<ActionResult>, at which point you'll be able to write something like:

await Task.Delay(1000);

Upvotes: 2

Related Questions