I'm creating a login system and want to block the person trying to log in for a few minutes when the wrong username and password are given for lets say 4 times.
I know how to block it on IP but that would create a block for eg. an entire school, if I'm there. Now I could use the username that the person is entering to block access but that leaves the possibility that the username entered does not exist in the database.
My question is: How can I create that block for someone that enters a username that does not exist. And what kind of database tables would i need for that.
Also i have looked for the possibility to use the session and cookies for it but that leaves a security issue of software that people can create to remove the sessions and cookies.
So if anyone could help me, I would appreciate it.
I believe you are trying to escape from the brute-force attacks, rather than a poor husband who forgot his username.
Implement a difficult CAPTCHA mechanism, so you could prevent most of the automated attacks. Simultaneously keep count of the attempts from a particular IP address and the interval between those successive attempts. If any attack manages to solve your CAPTCHA, still you can detect the abnormal activity in a couple of minutes and block access to that entire IP. It might put a whole organisation offline for a while, but at least you can help them out from experiencing a blackout because of a serious attack.
Sessions and cookies are not going to help because most of the brute-force systems clear and generate a new cookie for every request.