eliotsykes
commented
9 years ago Great job on this. Thanks for the article link, that was a good read. That was good that the captcha only kicked in after a few bad attempts so most users don't have to do it. As you alluded to, captcha protection can be pushed far back on the roadmap if you decide its worthwhile.
Added devise's lockable feature. Locks user out for 15 minutes after 5 failed attempts.
I used this for a guide: https://hakiri.io/blog/rails-login-security
I may choose add the captcha part from that guide at a later date. Seems like it would be a better user experience.