brute force attack mitigation

[sandropons]

hello,
i've added a basic control to mitigate brute force login attempts to check against users in database.

[panique]

Thanks, but isn't exactly this already implemented ? Can you please have a look here:
https://github.com/panique/huge/blob/master/application/model/LoginModel.php#L77

[sandropons]

Hi,
The one already implemented does block login attempts only for found usernames.

A brute force attack can do unlimited logins attempts to guess usernames without any limit.

I've just placed a limit of 3 attempts and 30 second interval for that.

Hope it's useful.
Cheers,
Sandro

[panique]

Hey, I've added this to the project, but as you've pushed to master branch (needs to be pushed to develop branch) I had to move your commit via a patch. This has unfortunatly removed your name as the author of these lines (and replaced it with mine)... Hmm... Sorry for that! If it's important for you, then you can resubmit this to develop branch!

Thanks again and have a great day!

[sandropons]

Hi, no problem with that, thanks to you for the cool project!

Cheers,
Sandro

2015-07-09 4:07 GMT+02:00 Chris [email protected]:

Hey, I've added this to the project, but as you've pushed to master branch
(needs to be pushed to develop branch) I had to move your commit via a
patch. This has unfortunatly removed your name as the author of these lines
(and replaced it with mine)... Hmm... Sorry for that! If it's important for
you, then you can resubmit this to develop branch!

Thanks again and have a great day!

—
Reply to this email directly or view it on GitHub
#669 (comment).