Implementation of Password Guessing Resistant Protocol (PGRP) to Prevent Online Attacks?

The inadequacy of login protocols designed to address large scale online dictionary attacks (e.g., from a botnet of hundreds of thousands of nodes). Brute force and dictionary attacks on password-only remote login services are now widespread and emerging technique. Convenient login for legitimate users while preventing such attacks is a difficult problem. Automated Turing Tests (ATTs) continue to be an effective, easy-to-deploy approach to identify automated malicious login attempts with reasonable cost of inconvenience to users. In this paper, we propose a protocol called Password Guessing Resistant Protocol (PGRP), derived upon revisiting recent proposals designed to avoid such attacks. In PGRP limits the total number of login attempts from unknown remote users to as low as a single attempt per username, the users in most cases (e.g., when attempts are made from known, frequently-used machines) can make multiple failed login attempts before being challenged with an ATT. We evaluate the performance of PGRP with two realworld data sets and find out more than the existing proposals.