Should user account be locked after X amount of failed logins?

Question

I have almost finished developing my login system and there is one more thing that I'm not sure about. So many debates I found on should the internet about counting invalid logins and locking users account. My system stores user names and passwords (that are salted and hashed) in database. If user enters invalid user name or password I keep track of their Username, Password, LoginTime, SessionID, IP and Browser. Here is example:

LoginID   LoginTime                 LoginUN    LoginPW    LoginSessionID    LoginIP     LoginBrowser    
   1    2018-03-15 13:40:25.000     jpapis     test       E72E.cfusion      10.18.1.37  Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
  98    2018-03-15 13:48:45.000     mhart      mypass55   E72E.cfusion      10.12.1.87  Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
  32    2018-03-15 14:29:14.000     skatre     1167mmB!   378E.cfusion    10.36.1.17    Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0

I'm wondering if I should lock account after X attempts? If so what would be the best practice to do that? Here is one approach that I found:

SELECT COUNT(LoginID) AS countID, DATEDIFF(mi,LoginTime,GETDATE ( )) AS TimeElapsed
FROM FailedLogins
WHERE (LoginUN = '#username#' OR LoginSessionID = '#SESSION.sessionid#' OR LoginIP = '#REMOTE_ADDR#')
    AND DATEDIFF(mi,LoginTime,GETDATE ( )) <= 60
GROUP BY LoginID, LoginTime
HAVING COUNT(LoginID) >= 5;

Query above will look for username, sessionID or IP address. If either of these it's found in FailedLogin table within 60min and it's greater than 5 I would lock the account. Only problem here is I'm not sure what this would prevent, brute force attack can send way too many attempts in 60min so I'm not sure what would be the benefit of checking failed logins this way. Is there better way to handle failed logins now days? Should I even lock the account? If anyone can provide some thoughts and examples please let me know. Thank you.

Answer 1

You must create a password lockout system only for payed or premium accounts, or if the website you or someone else owns is extremely popular (More than 100,000 annual viewers), as they are most valued, and most likely to be attacked. If you expect such a volume of people, then it is best practice to implement this. You can see many large corporations doing this practice, Google locks people out of accounts because they can contain money like in Google Play Store Credits or Android Pay wallets. The same goes for Minecraft accounts, Netflix accounts, etc. The algorithm behind this is something like this :

if(md5($password)==$loginrow['login'])
{
   //Do your login sequence here
}
else
{
  if($loginrow['AttemptsInPastFifteenMinutes']>=15)
  {
     mysqli_query($dbconnect,'CREATE EVENT reset ON SCHEDULE EVERY 15 MINUTE DO UPDATE ' .$loginrow['user']. 'set AttemptsInPastFifteenMinutes = 0');
     echo '<script>alert("You have typed in invalid passwords too many times. Please try again later.");</script>';
  }
  else
  {
     mysqli_query($dbconnect,'UPDATE logins SET AttemptsInPastFifteenMinutes=' .($loginrow['AttemptsInPastFifteenMinutes'] + 1). ' WHERE user=' .$loginrow['user']');
     echo '<script>alert("Invalid username or password");</script>';
  }
}

Answer 2

Agree with @Ageax on checking Information Security.

I'm not sure that I need this kind of security check in my system.

Yes, you do. You always do. It's those that don't that often appear on the news.

Some best practices

• Lock account after X number of failed logins.
• Keep a record of Y past passwords (hashed, not plain text). When someone updates their password, check the new one against the old ones so they can't reuse recent passwords (compare hashes).
• Monitor failed attempts past X to determine if you need to block IP addresses if failed attempts become excessive.
• When a user's login fails, never tell them if it was specifically the user name or the password that was incorrect. You're just helping hackers progress faster.

Do some reading on the other site and see what else is recommended.