Prevent brute-forcing of passwords

agdsn / pycroft

The AG DSN management system

Apache License 2.0

19 stars 9 forks source link

Prevent brute-forcing of passwords #279

Open georgeto opened 5 years ago

georgeto commented 5 years ago

We should prevent brute-forcing of passwords by locking the affected account or/and the requester ip after a certain threshold of failed login attempts.

ibot3 commented 5 years ago

There would be the option to add an RecaptchaField.

sebastl commented 5 years ago

I am strongly against reCAPTCHAs, especially for privacy reasons. Furthermore, CAPTCHAs are not necessary to solve this problem. @Georgeto's approach should suffice.

sebschrader commented 5 years ago

reCAPTCHA for an internal tool is out of the question.

Locking the account is also a terrible idea, as it allows DoS. There are better ways.