Preventing brute force


I need advice for preventing brute force attacks, I have read many articles on the internet and many of them points to same, locking user account for few minutes. This method won’t work for login credentials of users that doesn’t exist in database.
Can you give me some advice how should I prevent these attacks?

So this is for a sign-up form, not a log-in?

1 Like

I was imagining a login page where some task was attempting brute-force logins until it hits a username / pw combo that works. I’d have thought that would be something the server would need to be involved in - blocking by IP or something.

1 Like

For login form.

So they are trying to log-in via bruit force, but have not succeeded.

I’m struggling to understand your problem, if the user is not in the database, there should be no way they can log-in.

Bruit force generally means a bot making multiple attempts to guess a valid username and password.
So the usual systems block a user after so many failed attempts by one user.
How you then block them is up to you. It can be a rest period, an IP block or send them to a CAPTCHA to prove they are real.


You need to read this post about security, its a bit old but you will get idea how to prevent it.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.