[Catalyst] Rate limiting password attacks

[Perrin Harkins]

On 8/17/07, Bill Moseley <moseley at hank.org> wrote:
> I missed something along the way in this thread.  Cookies?  Is that to
> block a specific client?

Yes, as opposed to an IP that could be a proxy.

> I'm just thinking of blocking specific logins when too many failed
> logins are attempted.

That works if they keep hitting the same login with different
passwords.  Are you concerned about them trying many logins with a
common password?  ("secret")  That wouldn't be caught.

- Perrin