Temporary lock out accounts after too many bad passwords
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Libravatar (obsolete) |
Confirmed
|
High
|
Unassigned | ||
Bug Description
To make bruteforcing of passwords impractical, Libravatar should add a delay before returning the "bad password" page or it should temporarily lock accounts out after a few bad passwords.
Adding a timeout would waste server resources, so perhaps a temporary lock out of 1 minute after 4 bad passwords is a better strategy.
This would involve storing the number of bad passwords (to be reset every hour? or every day?) and the lockout time in the database. Users would be shown a message saying that they need to wait for 1 minute before trying again.
Should we extend the lockout time when users keep trying while they're locked out? This would create a lot of database writes in the case of a brute-forcer but could mean that dumb brute-forcing software that just keeps trying would only ever get 4 attempts.
It would be nice to find a way to extend the built-in Django auth system with such a feature.
| François Marier (fmarier) wrote | #1 |
| Changed in libravatar: | |
| importance: | Medium → High |
| tags: | added: passwords |
Another approach would be to use memcache to keep track of these bad passwords.