Limit login attempts, lock out the account after configurable # of attempts #1453
Comments
|
Would you be doing this on a timeout basis or could you maybe just forward them to the reset password page automatically after X failed login attempts. Maybe include a link to go back to login which unlocks the login page ... Not sure how bots would cope with that though. Alternatively alter the password reset email with another link to "unlock the account" as well as one to change passwords. Not sure which would be better. |
|
The reset system is stupidly built. It ought to be rewritten to use lru-cache instead of saving keys to redis. Lockouts can be handled similarly. |
|
The only downside is that resets and lockouts will reset if the server restarts, but that's a very minor downside. |
|
Would be nice to email the user on unsuccessful login attempt(s) as well |
Helpful to prevent brute force attempts to log into somebody's account.
The text was updated successfully, but these errors were encountered: