Open rogofsky opened 5 years ago
coveralls
commented
5 years ago Coverage decreased (-22.3%) to 68.639% when pulling 59404d1e4520e7f4162f4b6bf13b09f545da44b3 on rogofsky:develop into 1308e5f794cd3b3b3c517e0ed96070bb1d656ce3 on dmpayton:develop.
shawnngtq
commented
4 years ago @rogofsky @coveralls
I would love to see this optional password collection. Any chance this is going to happen? :grin:
dmpayton
commented
2 years ago @rogofsky I'm not familiar with hpfeeds, but there are some pretty cool things about this PR.
We previously did collect passwords, but I removed it after myself and a few of my coworkers inadvertently tried logging in to the honeypot with our real passwords in a production environment. The muscle memory of "/admin/" can be hard to get rid of. ;)
But #69 has us talking about a setting to toggle the recording of IP addresses for GDPR/PII reasons. If there are valid cases for recording passwords, I could be convinced to allow the same for them.
This PR also has me thinking about configurable handlers for login attempts, e.g.:
Define which handlers you want to use in your settings, along with any handler-specific configuration. It'd be much easier to build and test additional integrations in this code base (or outside of it, if the python paths are used). I can definitely envision this in a django-admin-honeypot 2.0 release.
@shawnngtq There's definitely a chance.
These changes were made to enable this honeypot to run in our environment:
I notice that the request to collect passwords was rejected in #25. That makes sense for deployments on production websites, but this honeypot is also useful in deployments where there is no live site and it is deployed solely for data collection. In this case, there is no possibility for accidental password entry and collecting passwords is very useful for research. However, this PR sets this option to
Falseby default.