[Catalyst] Rate limiting password attacks

Bill Moseley moseley at hank.org
Fri Aug 17 23:11:21 GMT 2007


On Fri, Aug 17, 2007 at 02:33:21PM -0400, Perrin Harkins wrote:
> > I'm just thinking of blocking specific logins when too many failed
> > logins are attempted.
> 
> That works if they keep hitting the same login with different
> passwords.  Are you concerned about them trying many logins with a
> common password?  ("secret")  That wouldn't be caught.

For this I'm talking about someone trying many passwords on one login.
Logins may be easier to figure out if you know something about the
user base (names or email addresses).

But, I suppose one could use either the login or password (or both
separately) as the key to the cache entry counting failed logins.



-- 
Bill Moseley
moseley at hank.org




More information about the Catalyst mailing list