Temporary lock out accounts after too many bad passwords

Bug #809036 reported by François Marier on 2011-07-11
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Libravatar
High
Unassigned

Bug Description

To make bruteforcing of passwords impractical, Libravatar should add a delay before returning the "bad password" page or it should temporarily lock accounts out after a few bad passwords.

Adding a timeout would waste server resources, so perhaps a temporary lock out of 1 minute after 4 bad passwords is a better strategy.

This would involve storing the number of bad passwords (to be reset every hour? or every day?) and the lockout time in the database. Users would be shown a message saying that they need to wait for 1 minute before trying again.

Should we extend the lockout time when users keep trying while they're locked out? This would create a lot of database writes in the case of a brute-forcer but could mean that dumb brute-forcing software that just keeps trying would only ever get 4 attempts.

It would be nice to find a way to extend the built-in Django auth system with such a feature.

François Marier (fmarier) wrote :

Another approach would be to use memcache to keep track of these bad passwords.

Changed in libravatar:
importance: Medium → High
tags: added: passwords
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers