Can any one please let me know about the term "Account Lockout
"? and how do i implement it on PHP. The below information i got from one of the web site security/audit tool called "ACUNETIX
".
Description
"A common threat web developers face is a password-guessing attack known as a brute force attack
. A brute force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers and symbols until you discover the one correct combination that works.
This login page does not have any protection against password-guessing attacks(brute force attack). Consult Web references for more information about fixing this problem.
Impact
An attacker may attempt to discover a week password by systematically trying every possible combination of letters, numbers and symbols until it discovers the one correct combination that works.
Recommendation
It's recommended to implement some type of account lockout
after a defined number of incorrect password attempts."
Best Answer
you can look on this php example
http://www.weberdev.com/get_example-1380.html
you need to save in the db how many times the user try and fail to login,
after 3 times , you block the user from enter your site