Rate limiting failed login attempts/failed password changes

[Bernhard Posselt]

Hi guys,

We've received a report from hackerone.com that our password change and
login forms are not protected against brute forcing passwords. Since we
re-use both the built-in password change and login form views from
Django it feels like rate limiting for these views should work out of
the box.

Using third-party extensions for this is certainly an option but I
already have trouble to upgrade to newer versions with my existing 7
django extensions and it feels like this feature should be implemented
for every Django installation that uses contrib.auth.

What are your thoughts on this?

regards

Bernhard Posselt

[Jani Tiainen]

Hi,

There exists ticket already in Trac:

https://code.djangoproject.com/ticket/21289

--
Jani Tiainen

[Riccardo Magliocchetti]

Is there anything wrong on doing rate limit on the http proxy? There are good
chances it's already implemented there.

--
Riccardo Magliocchetti
@rmistaken

http://menodizero.it

[Adam Johnson]

https://github.com/jsocol/django-ratelimit is good at this, and it's well maintained so you shouldn't have any problems with upgrading. It's already tested on Django 2.0.

I agree though that it would be best for security if contrib.auth did it out of the box. But there are lots of reasons why it's hard to make it work with all the different environments django gets deployed under. The summary in django-ratelimit is very good: https://django-ratelimit.readthedocs.io/en/latest/security.html (thanks to James Socol and contributors!)

Bernhard Posselt

--
You received this message because you are subscribed to the Google Groups "Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscribe@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/7f879db4-1ac7-734d-28d9-952376852db8%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

--

Adam

[Bernhard Posselt]

Thanks, will take a look at the webserver extensions and the django-ratelimit extension :)

The Trac ticket doesn't look like it's going to be worked on in the near future.

To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.

Visit this group at https://groups.google.com/group/django-developers.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMyDDM1CJ2h1VZiO9B3aDHY98q%3DbQHC0oRjDhYkYDTNqTi2g4A%40mail.gmail.com.

[Bernhard Posselt]

Ah right, this issue probably also affects the admin login. I see no other way than to use a webserver extension then.

On 15.11.17 12:32, Adam Johnson wrote:

To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.

Visit this group at https://groups.google.com/group/django-developers.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMyDDM1CJ2h1VZiO9B3aDHY98q%3DbQHC0oRjDhYkYDTNqTi2g4A%40mail.gmail.com.