How to Secure Your Login API Against Brute‑Force, MITM, and Other Attacks

Introduction

When learning web backend development, many newcomers implement a simple login function without considering security. This guide reviews the security aspects that should be addressed when designing a login interface.

Security Risks

Brute‑Force Attacks

Exposed public sites are vulnerable to password‑guessing attacks where an attacker enumerates usernames and tries many passwords until one succeeds.

# password dictionary
password_dict = []
# login endpoint
login_url = ''

def attack(username):
    for password in password_dict:
        data = {'username': username, 'password': password}
        content = requests.post(login_url, data).content.decode('utf-8')
        if 'login success' in content:
            print('got it! password is : %s' % password)

Captcha Enforcement

After a certain number of failed attempts, require the user to solve a captcha before further login attempts.

fail_count = get_from_redis(fail_username)
if fail_count >= 3:
    if captcha is None:
        return error('需要验证码')
    check_captcha(captcha)

success = do_login(username, password)
if not success:
    set_redis(fail_username, fail_count + 1)

Login Throttling and Account Lock

Lock an account after many consecutive failures and optionally require additional verification.

fail_count = get_from_redis(fail_username)
locked = get_from_redis(lock_username)

if locked:
    return error('拒绝登录')
if fail_count >= 3:
    if captcha is None:
        return error('需要验证码')
    check_captcha(captcha)

success = do_login(username, password)
if not success:
    set_redis(fail_username, fail_count + 1)
    if fail_count + 1 >= 10:
        # lock for 5 minutes
        set_redis(lock_username, true, 300s)

IP‑Based Rate Limiting

Track failures per IP address and block the IP after a threshold.

ip = request['IP']
fail_count = get_from_redis(fail_ip)
if fail_count > 10:
    return error('拒绝登录')
# other logic
success = do_login(username, password)
if not success:
    set_redis(fail_ip, true, 300s)

Be aware of drawbacks: shared IPs (e.g., corporate NAT) may cause legitimate users to be blocked, and attackers can switch VPNs to bypass IP bans.

Phone Verification

Combine captcha with SMS/phone verification for stronger protection after multiple failures.

fail_count = get_from_redis(fail_username)

if fail_count > 3:
    if captcha is None:
        return error('需要验证码')
    check_captcha(captcha)

if fail_count > 10:
    if dynamic_code is None:
        return error('请输入手机验证码')
    if not validate_dynamic_code(username, dynamic_code):
        delete_dynamic_code(username)
        return error('手机验证码错误')

success = do_login(username, password, dynamic_code)
if not success:
    set_redis(fail_username, fail_count + 1)

Even with these measures, no system is 100 % secure; the goal is to raise the attacker's cost.

Man‑in‑the‑Middle (MITM) Attacks

MITM attacks intercept or modify traffic between client and server, allowing attackers to capture login credentials.

HTTPS Protection

Enforcing HTTPS (TLS) encrypts traffic, ensures data integrity, and authenticates the server, effectively mitigating MITM risks.

Content encryption

Data integrity

Identity verification

Implementation details of TLS are omitted for brevity.

Additional Encryption Measures

Encrypt usernames on the client using asymmetric encryption, decrypt on the server.

Hash passwords (e.g., MD5) on the client before transmission to avoid plaintext exposure.

Other Recommended Practices

Record operation logs for every login and sensitive action (including IP and device information).

Send alerts (e.g., SMS) for abnormal login activities.

Enforce strong password policies and reject weak passwords.

Prevent username enumeration by limiting feedback during registration.