+1 please On 9/29/11, Wim Feijen <[email protected]> wrote: > Hello, > > Would it be a good idea to write a ticket and patch to stop brute > force attacks, either by requiring people to fill in a captcha after > several failed login attempts; or by setting a time delay? > > Mozilla Secure Coding Guidelines recommend in doing so, see: > https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Easy_Quick_Wins > > Google uses a captcha and I favor that approach. > > Would it be a good idea to create a ticket for this, and write a > patch? > > Best regards, > > Wim > > --- > > From the Mozilla Secure Coding Guidelines: > > Account Lockout and Failed Login > Account Lockouts vs login failures should be evaluated based on the > application. In either case, the application should be able to > determine if the password being used is the same one over and over, or > a different password being used which would indicate an attack. > > The error message for both cases should be generic such as: > > Invalid login attempts (for any reason) should return the generic > error message > > The username or password you entered is not valid > > Logging will be critical for these events as they will feed up into > our security event system and we can then take action based on these > events. The application should also take action. Example would be in > the case that the user is being attacked, the application should stop > and/or slow down that user progress by either presenting a captcha or > by doing a time delay for that IP address. Captcha's should be used in > all cases when a limit of failed attempts has been reached. > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > >
-- Sent from my mobile device -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
