Handle bruteforce on login
shyba opened this issue · comments
Why
Multiple failed logins should block the user (ip?) or the account for security reasons.
Way to reproduce
- go to login page
- try fake passwords on 'alice' multiple times
- no problem or feedback, you can keep trying
Definition of done
I am unable to try a password more than 3 or 4 times.
Tips
@fbernitt had an idea about using fail2ban to achieve this.
This is a good idea but it isn't our focus now.
Our focus now is the migration of Bitmask libraries latest version to Pixelated code.
I'll close this issue for now, it might be reopened in the future if it makes sense.