Limiting login attempts

[GoogleCodeExporter]

Just read "Dictionary Attacks 101"
(http://www.codinghorror.com/blog/archives/001206.html) and I think it
would be useful if we implemented something to delay failed login attempts
as described in the article. 

Original issue reported on code.google.com by dhofs...@gmail.com on 8 Jan 2009 at 5:58

[GoogleCodeExporter]

That's a good idea. But we cannot rely on sessions there (I don't think the 
bots will use cookies), so we also need 
a table where we store login attempts and ip addresses.

That would also mean to have a cleanup cronjob, so that this table will not be 
filled up some day.

But we need a cleanup cronjob anyway, as we currently do not delete identities, 
when the verify link was not 
clicked - although we say so in our mail :-)

Original comment by dirk.olb...@gmail.com on 17 Jan 2009 at 5:56