Hey guys, How slow can brute force attacks be? That is, why not just let the web server/load balancer/network stack rate limit client connections to prevent DoS, and effectively thwart brute force attacks?
(I have no idea how good password guessing has been these days, so this isn't the most well informed post.) Cheers, Mike On Thu, Dec 17, 2009 at 5:31 PM, tie <[email protected]> wrote: > And here is another stab at it: > http://code.google.com/p/django-brutebuster/ > > On Dec 17, 9:30 pm, Tom <[email protected]> wrote: >> Hello Everyone, >> >> I noticed that Django's contrib.auth doesn't provide a mechanism for >> detecting a password brute force attack. This is necessary for a >> couple projects I'm working so I have to implement some kind of >> solution and would really like to do it in such a way that it could >> get contributed back to the community. I'd like to propose possible >> two variants to the way that system works and would appreciate >> feedback. >> >> The first option is the more user customizable one, I propose a new >> signal (possibly called LoginAttempt) which User.check_password() >> would fire before returning so that users could implement their own >> logging and lockout policies. This is likely what I will implement >> first so that our internal implementation doesn't interfere with >> future general implementations. >> >> The second option, which is much more thorough, would add a >> LoginAttemptLogEntry model which would look something like this: >> >> class LoginAttemptLogEntry(models.Model): >> user = models.ForeignKey(User, null=True) >> datetime = models.DateTime(auto_now_add=True) >> success = models.BooleanField() >> >> Then either ModelBackend.authenticate() or User.check_password() would >> log each login attempt using the LoginAttemptLogEntry. Any user's >> account which had more than N (configurable in settings, default to >> 5?) consecutive unsuccessful login attempts would get locked. A >> successful password reset would then re-enable the account. >> >> I'd welcome any feedback, particularly from owners/committers of >> contrib.auth. >> >> Thanks, >> >> Tom > > -- > > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > > > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
