[Catalyst] Rate limiting password attacks

Carl Johnstone catalyst at fadetoblack.me.uk
Fri Aug 17 15:56:23 GMT 2007

> Anyone doing something like this already?  Suggestions? Caveats?

You'll almost certainly have to log it per-IP address rather than an a 
cookie or session or anything like that. Any real password-cracking bot is 
unlikely to honour your cookies or session identifiers.

Which in return means you'll need to be careful, you don't want to block AOL 
users from logging in, just because a few of them all forgot their passwords 
within a few minutes of each other.

As an idea, how about adding an (increasing) artificial delay into the 
response when the clients send an invalid username/password. It would make 
things increasingly awkward for crackers, whilst still letting good users 
through. A suggestion though it wouldn't work very well in mod_perl or 
similar setups where you can't afford to tie up system resources holding 
onto client connections.


More information about the Catalyst mailing list