no bruteforce protection against login username / password available #455
Assignees
Comments
ghost
assigned 
|
I've created a new table. But after validating it I've noticed that we already have a table 'user'. So I wonder if we really need a new table. To avoid overhead wouldn't it be better to add columns to the existing table like unsuccessful login attemps and last login? |
|
I'd argue that you'd want to record individual login attempts to have some flexibility, i.e. allowing 3 login attempts in 5 minutes or 30 login in 24 hours etc. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently there's no protection against bruteforcing passwords of username. An attacker could use a predefined dictionary for getting the users password.
As a solution logins attemps, especially unsuccessfully ones, of last 24hrs need to be stored in a database. Therefor shortened IP address and timestamp should be used.
Serveral attemps could cause a delay(max 5 sec.) and after a numbered attemps (5?) user could be prompted to insert a capture to hinder several bruteforce attemps at a time.
The text was updated successfully, but these errors were encountered: