Thesis

Enhancing Authentication Security: A Python-Based System for Brute Force Attack Prevention

Summary

This thesis focuses on enhancing the security of Python/Django-based authentication systems against brute-force attacks.
It investigates existing mitigation strategies and implements a multi-layered defence model incorporating techniques such as progressive account lockouts, Google reCAPTCHA, rate-limiting, OTP-based 2FA, and secure email verification.
The aim is to build a robust, scalable, and user-friendly authentication framework tailored for small organizations with limited technical resources.
The system's performance and usability are evaluated through simulated attack scenarios, heuristic usability reviews, and real-time dashboard analytics to achieve an optimal balance between strong security and positive user experience.

Skills Acquired

Applying solo Agile development

Designing secure authentication workflows

Developing Django-based login systems

Implementing rate limiting using django-ratelimit

Integrating time-based OTP two-factor authentication

Configuring and validating Google reCAPTCHA

Developing progressive account lockout logic

Creating and managing secure email verification tokens

Implementing role-based access control (RBAC)

Conducting STRIDE and OWASP threat modelling

Using Chart.js to build real-time security analytics dashboards

Simulating brute-force and distributed attack scenarios

Conducting heuristic evaluation using Nielsen's usability principles

Enhancing user experience through password guide modals

Automating admin alerts for suspicious activities via email

Securing user data with Django's hashing and session management tools

Logging and monitoring security events in Django

Adhering to GDPR and ethical data handling practices

Documenting development and research findings professionally

References Used

Below is a reference list of all the Sources (articles, books, reports, whitepapers, websites, etc) that I used through out (Using Harvard Referencing style).

Abdulkader, A., Deep, K., Uma, S. & Cremer, C., 2015. A Review of Brute Force Attack Detection Techniques. International Journal of Computer Applications, 128(5).

Ba, A., Deng, Z. & Zhao, Y., 2021. Mitigating Credential Stuffing Attacks Using Intelligent Authentication Systems. Journal of Information Security Research, 12(3), pp. 78-85.

CAPEC, 2018. CAPEC-112: Brute Force. [Online] Available at: https://capec.mitre.org/data/definitions/112.html [Accessed 03 April 2025].

Cleary, J., 2024. Understanding Brute Force Attacks. In: Cybersecurity Threats in Practice. New York: Springer, pp. 22-29.

Contrast Security, 2021. Obfuscation Bypass in Modern Attacks. [Online] Available at: https://www.contrastsecurity.com/resources [Accessed 02 April 2025].

Cremer, C., Uma, S. & Padmavathi, S., 2022. Risk Assessment of Brute-Force Authentication Threats. ACM Transactions on Cybersecurity, 9(1), pp. 55-66.

CWE Content Team, 2021. Common Weakness Enumeration. [Online] Available at: https://cwe.mitre.org/ [Accessed 30 April 2025].

Department for Science, Innovation & Technology, 2024. UK Cybersecurity Guidelines. London: UK Government Publications.

Devndra, D., 2020. Comparison between Django and Flask Security Features. Journal of Web Framework Studies, 6(2), pp. 104-112.

Django Software Foundation, 2023. Django Project Documentation. [Online] Available at: https://www.djangoproject.com/ [Accessed 29 April 2025].

Farrukh, S., 2013. Tradeoffs between Usability and Security. International Journal of Engineering and Technology, 5(4), pp. 434-437.

Fluid attacks: help center, 2024. Concurrent sessions - Python. [Online] Available at: https://help.fluidattacks.com/portal/en/kb/articles/criteria-fixes-python-062 [Accessed 01 April 2025].

GeoLite2, 2023. GeoLite Databases and Web Services. [Online] Available at: https://dev.maxmind.com/geoip/geoip2/geolite2/ [Accessed 01 May 2025].

Gollmann, D., 2021. Authentication, Authorisation & Accountability Knowledge Area Version 1.0.2. [Online] Available at: https://www.cybok.org/media/downloads/Authentication_Authorisation_Accountability_v1.0.2.pdf [Accessed 4 December 2024].

Golofit, K., 2007. Click Passwords Under Investigation. European Symposium on Research in Computer Security, 15(19), pp. 343-358.

Google cloud, 2025. Identity Platform. [Online] Available at: https://cloud.google.com/security/products/identity-platform [Accessed 30 April 2025].

Google, 2025. recaptcha how it works. [Online] Available at: https://cloud.google.com/security/products/recaptcha#how-it-works [Accessed 30 April 2025].

Grimes, R. A., 2020. Brute-Force Attacks. In: Hacking Multifactor Authentication. s.l.:s.n., p. Chapter 14.

Grunwaldt, J.-M., 2019. A Comparison of Modern Backend Frameworks Protections against Common Web Vulnerabilities. [Online] Available at: https://www.cs.tufts.edu/comp/116/archive/fall2019/jgrunwaldt.pdf [Accessed 30 April 2025].

Hamza, A. & Al-Janabi, R. J. s., 2024. Detecting Brute Force Attacks Using Machine Learning. BIO Web of Conferences, 97(3).

Herley, C. & Florencio, D., 2008. Protecting Financial Institutions from Brute-Force Attacks. In: IFIP – The International Federation for Information Processing. Boston, MA: Springer, pp. 681-685.

Hevner, A. R., March, S. . T., Ram, S. & Park, J., 2004. Design Science in Information Systems Research. MIS Quarterly, 28(1), pp. 75-105.

Idhom, M., Wahanani, H. E. & Fauzi, A., 2020. Network Security System on Multiple Servers Against Brute Force Attacks. Surabaya, Indonesia, IEEE, pp. 258-262.

Idris, N., Foozy, C. F. M. & Shamala, P., 2020. A Generic Review of Web Technology: DJango and Flask. International Journal of Advanced Computing Science and Engineering, 2(1), pp. 34-40.

IndiaFreeNotes, 2023. Influence of Information Systems in Transforming Businesses. [Online] Available at: https://indiafreenotes.com/influence-of-information-systems-in-transforming-businesses [Accessed 30 July 2023].

Information Commissioner's Office, 2024. Brute force attacks. [Online] Available at: https://ico.org.uk/about-the-ico/research-reports-impact-and-evaluation/research-and-reports/learning-from-the-mistakes-of-others-a-retrospective-review/brute-force-attacks/ [Accessed 3 December 2024].

Jimmy, F., 2024. Cybersecurity Threats and Vulnerabilities in Online Banking Systems. International Journal of Scientific Research and Management (IJSRM), 12(10), pp. 1631-1646.

Khan, R., McLaughlin, K., Laverty, D. & Sezer, S., 2017. STRIDE-based threat modeling for cyber-physical systems. Turin, Italy, IEEE.

Kirlappos, I. & Sasse, M. A., 2014. What Usable Security Really Means: Trusting and Engaging Users. London, UK, University College London, pp. 69-78.

Lodhi, A., 2010. Usability Heuristics as an assessment parameter: For performing Usability Testing. San Juan, USA, IEEE.

Lu, B. et al., 2018. A Measurement Study of Authentication Rate-Limiting Mechanisms of Modern Websites. ACSAC San Juan, PR, USA, Volume 00, pp. 3-7.

Lutz, M., 2013. Learning Python. 4th ed. s.l.:O'Reilly Media.

Tasks Done Throughout

This thesis focuses on enhancing the security of Python-based login systems by addressing the growing threat of brute force attacks.
Brute force attacks, where attackers attempt to guess usernames and passwords, remain a significant challenge due to weak or easily guessed login credentials.
The research aims to assess current brute force prevention methods and explore how Python libraries and features can be leveraged to improve login security.
The study will develop a Python-based solution that incorporates techniques such as rate-limiting, CAPTCHA, account lockouts, and progressive delays between login attempts.
It will evaluate the effectiveness and usability of these measures through simulated brute force attacks, aiming to find a balance between robust security and user convenience, particularly for smaller organizations with limited resources.
The research will use amixed-methods approach, including literature review, system design and implementation, testing, and evaluation, while ensuring that the solution remains affordable and easy to implement.
The ultimate goal is to propose practical, effective, and user-friendly security solutions for Python-based login systems to mitigate brute force attacks.

Below is a breakdown of the activities done.

Project Outline

My project focuses on developing a secure, Python-based authentication system designed to prevent brute-force attacks by integrating progressive lockouts, CAPTCHA verification, and two-factor authentication, all while maintaining a balance between strong security and user experience.

Download PDF

Research Proposal, Risk Assessement and Ethical Approval

This research proposal explores the challenges of brute-force attack mitigation in web authentication systems, proposing a layered defense model that incorporates adaptive security features and evaluates their effectiveness through simulation and testing.

Ethical Approval: Outlines the ethical considerations guiding the research, ensuring adherence to ethical principles and guidelines. Since the research does not involve human participants, issues like consent, do not apply. However, it will address relevant concerns related to data handling, security, and other ethical aspects of the work.

Download PDF

Dissertation

This presents the full design, implementation, and evaluation of a Django-based login system that combines technical safeguards with usability-focused enhancements to address common access control threats.

To view the full system, visit my github, under thesisdjango repository: thesisdjango on GitHub.

Below is a copy of the Dissertation as submitted for Master Thesis.

Download PDF

Below is a copy of a Powerpoint Presentation (but in pdf) as submitted for Master Thesis.

Download PDF

E-Portfolio: Beatrice MUTEGI-ROYER

Thesis

Summary

Skills Acquired

References Used

Tasks Done Throughout

Contact