Posted by Colin McKinnon on 04/09/07 19:15

Really, you can't. All you can do is make the system sufficiently secure
that the attacker can't brute-force an attack.

Also, bear in mind...

Tyno Gendo wrote:

> define('MAX_RETRIES', 5);
> $logged_in = false;
> $sql = "SELECT user_id, user_name, user_pass, user_tries
> FROM user WHERE user_name = '" . $_POST["username"]; . "';";
>

..... then you're just providing a mechanism for anyone to lock out any user
whose name is known. Also, unless you are very careful, you will end up
exposing usernames indirectly by the the time taken to process a response.

C.

[Back to original message]