jl8e
commented
10 years ago That makes for an easy denial-of-service on an account. Blocking or throttling by IP is a better approach.
Open blackshadowshade opened 10 years ago
jl8e
commented
10 years ago That makes for an easy denial-of-service on an account. Blocking or throttling by IP is a better approach.
blackshadowshade
commented
10 years ago Good point, Julian. Any idea how to implement such a thing? Or is this simply an Apache setting somewhere?
jl8e
commented
10 years ago I’m currently doing web stack development in Django, so not usefully.
It’s a problem that has to have been solved many times already
To avoid brute force password attacks, we need to disable login after a number of failed attempts. The account could then be reactivated via a link sent by email.
This is probably something to keep in mind when implementing #140, since the only database change that is necessary here is an extra field with the count of the number of consecutive failed attempts.