|
OK, well, here's an initial observation: 1. Your login page leaks information, as it returns "username not found" if you enter an invalid username. This is a bad idea. Better to simply say "login failed" in any case. Now, thanks to a few minutes of playing around, I have a fairly good idea that "admin" is a valid username on projecteuler.net. For the sake of argument, let's assume that's a real account, and actually has some administrative access... that's a bad idea. "Security through obscurity" is oft derided, but no sense making it easy for the bad guys. Make your admin username "flummoxedrabbit" or something that nobody bothers trying. As it is, I'm hoping this "admin" account is a dummy or a honeypot or something, but if it isn't, I definitely encourage you to change that and quit leaking username validity information. 2. From the limited testing I did, it doesn't appear that you limit the number of failed login attempts. Or if you do, the login limit is awfully high. I tried logging in 10 times and as far as I can tell, I could have kept going. If there really is no limit, it's probably not that hard to brute force your password. There are plenty of scripts and browser plugins to sit there and try to login repeatedly, trying to brute force forms like that. 3. In addition to limiting the number of login attempts, it's possibly a good idea to add a steadily increasing delay before accepting another login try from the same IP address, after each failed login. This will slow down at least some attempts to brute force your password. 4. You could consider some sort of Multi-Factor Authentication setup. 5. You could also consider adding code to do something similar to what fail2ban does, and automatically block connections from an IP where more than X failed logins originate in some period of time. |
#2-#5 are all good points, though, and would help prevent username enumeration as well.