Today we are discussing an internet safety tip about your Laravel web application. That is Password guessing or Brute Force attack. I will share a method of how we can avoid it.
What is a Brute Force attack?
A brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing a combination correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.
About solutions.
Laravel is a very popular PHP framework. Laravel has its Authentication process for using Login and Signup functionality.
Laravel Auth controller manages the user login process. To make your user login Password guessing free. We will use the Laravel standard feature Login Throttling.
It’s kind of rate-limiting. Rate-limiting at the user login form controls against brute-force guessing.
If you are using Laravel’s built-in LoginController class, the Illuminate\Foundation\Auth\ThrottlesLogins trait will already be included in your controller.
By default, the user will not be able to login for one minute if they fail to provide the correct credentials after several attempts. The throttling is unique to the user’s username/e-mail address and their IP address.
How to fix it?
1. In your app/Http/Controllers/Auth/LoginController.php, you in to check ThrottlesLogins trait is existing or not. If not add it before LoginController class.
use Illuminate\Foundation\Auth\ThrottlesLogins;
class LoginController extends Controller{
//...
}
2. In your app/Http/Controllers/Auth/LoginController.php, you need to add these two properties.
class LoginController extends Controller
{
protected $maxAttempts = 3; // Default is 5
protected $decayMinutes = 5; // Default is 1
//...
}
These properties will override the defaults, so you can specify less/more attempts allowed per minute and shorter/longer restriction time.
Output
I hope! it is working for you. Happy coding 🙂
