Hello friends, i guess this is a similar issue between web2py and py4web so im posting to both groups. Sorry if im abusing ...
We had a cibersecurity audit in our web2py app and they found this issue QUOTE During the application audit process, it was possible to identify that the the company portal does not implement the restriction of blocking accounts due to invalid login attempts This allows an attacker to use brute force attacks to attempt a valid credential indefinitely *Recommendation* We recommend implementing account lockout policies for invalid login attempts, as well as captcha and multi factor authentication ( mechanisms, as well as session timeouts to log out a user who has been inactive on the system for some time UNQUOTE I already activated the mfa in my app but it only works if the password is correct. An attacker trying to guess the password could have a forever loop trying to login and it can stress the sever CPU. Any comments on this ? Regards António -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/CAEM0BxN7fY6Ymy8Fihb7UKWarT%2B9CsuQnH%3D9tYo1JFSFVH%2BgdA%40mail.gmail.com.
