Designing Secure Login Interfaces: Risks and Countermeasures

When developers first learn programming, the classic "hello world" is followed by building a login feature for web back‑ends, but many implementations focus only on functionality and neglect security. This article discusses the additional security considerations required when designing a login interface.

Security Risks

Brute‑Force Attacks

Publicly exposed sites are often targeted by attackers who iterate through possible passwords until a correct one is found.

Example pseudocode:

# 密码字典
password_dict = []
# 登录接口
login_url = ''
def attack(username):
 for password in password_dict:
    data = {'username': username, 'password': password}
    content = requests.post(login_url, data).content.decode('utf-8')
    if 'login success' in content:
        print('got it! password is : %s' % password)

Captcha

One mitigation is to require a captcha after a certain number of failed attempts:

fail_count = get_from_redis(fail_username)
if fail_count >= 3:
 if captcha is None:
    return error('需要验证码')
  check_captcha(captcha)
success = do_login(username, password)
if not success:
 set_redis(fail_username, fail_count + 1)

Login Lockout

Lock an account after many failed attempts:

fail_count = get_from_redis(fail_username)
locked = get_from_redis(lock_username)
if locked:
 return error('拒绝登录')
if fail_count >= 3:
 if captcha is None:
    return error('需要验证码')
  check_captcha(captcha)
success = do_login(username, password)
if not success:
 set_redis(fail_username, fail_count + 1)
 if fail_count + 1 >= 10:
    # 失败超过10次，设置锁定标记
    set_redis(lock_username, true, 300s)

IP Restriction

Blocking IPs after repeated failures can mitigate attacks but may affect legitimate users sharing an IP and can be bypassed with VPNs.

ip = request['IP']
fail_count = get_from_redis(fail_ip)
if fail_count > 10:
 return error('拒绝登录')
# 其它逻辑
success = do_login(username, password)
if not success:
 set_redis(fail_ip, true, 300s)

Mobile Verification

Combining captcha with SMS‑based verification after multiple failures raises the attack cost:

fail_count = get_from_redis(fail_username)
if fail_count > 3:
 if captcha is None:
    return error('需要验证码')
  check_captcha(captcha)
if fail_count > 10:
 if dynamic_code is None:
    return error('请输入手机验证码')
 if not validate_dynamic_code(username, dynamic_code):
    delete_dynamic_code(username)
    return error('手机验证码错误')
success = do_login(username, password, dynamic_code)
if not success:
 set_redis(fail_username, fail_count + 1)

Man‑in‑the‑Middle (MITM) Attacks

Attackers can intercept login requests to steal credentials. The simplest and most effective defense is to enforce HTTPS, which adds TLS encryption, data integrity, and server authentication.

Content encryption

Data integrity

Identity verification

Beyond HTTPS, developers can encrypt usernames client‑side with asymmetric cryptography and hash passwords (e.g., MD5) before transmission.

Additional Recommendations

Record operation logs for every login and sensitive action (IP, device, etc.).

Send alerts (SMS/email) for abnormal login activities.

Enforce strong password policies and reject weak passwords.

Prevent username enumeration by limiting feedback on registration checks.

Continuously assess and improve security measures as no system is absolutely safe.

Conclusion

With increasing regulations on user data, developers must adopt comprehensive security practices for authentication systems. The discussed techniques—captcha, account/IP lockout, mobile verification, HTTPS, logging, and others—help raise the attacker's cost and protect user credentials.