do you guys know about django-axes? (http://code.google.com/p/django-axes/)
it allows you to lock out IP or IP/User Agent combo on a given number of failures. On Fri, Mar 4, 2011 at 5:22 PM, Shawn Milochik <[email protected]> wrote: > I have an immediate interest in this discussion. One of my company's > Django apps was recently subjected to an external risk assessment team > audit. They found the fact that three invalid password attempts didn't > lock out the user to be completely unacceptable. > > Granted, this is something that I should have applied myself, and if > it were automatically part of Django it would frustrate many > developers because it would inconvenience their users. > > However, considering it's an OWASP concern, and likely a wheel which > will be reinvented repeatedly, I would like to see it in Django. I am > willing to put my time into the effort. If Rohit and his team end up > taking on the project I will coordinate with them to see how I can > help. > > It seems that any implementation of this would require another value > for settings.py, and I know that's something not done lightly. Also, > the thread referred to above discusses throttling, whereas the > "recommendation" provided to us by the auditors was user lockout > requiring administrator activity (human intervention) to unlock. > > So the next question is whether the core dev team is interested in > discussing configurable lockout (number of attempts and human > intervention or timeout to release the lock), throttling, or both. > Then, how to best go about it. > > Incidentally, I'll be at PyCon if anyone wants to get together after > hours to work on this during the main days (I won't be at the > sprints). > > Shawn > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > > -- Brendan Smith, IT Specialist National Priorities Project http://www.nationalpriorities.org http://www.costofwar.com http://www.facebook.com/nationalpriorities 413 584 9556 -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
