--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/49b80757-9117-fa11-3f53-731af1f0c206%402xlibre.net.
Hi Claude,A delay of 5 seconds seems quite long. Often I fail to log into a site due to mis-selection of credentials from my password manager, so I can resubmit a login form within 1-2 seconds.
A real rate-limiting solution has the advantage of buckets of requests per time period, allowing users a few rapid attempts before being locked.Additionally, the default PBKDF2 hasher already enforces a (smaller) arbitrary delay via its algorithm iterations. I can't find a source but I think I remember reading it should be tuned to take about 100ms. This is about 1.5 orders of magnitude less than a 5 second delay, which is perhaps not so significant in terms of password brute-forcing (less difference than one extra password character). Not sure if 100ms is where Django's current default ends up on a modern CPU, but we probably aren't far off given we increase the iterations according to a formula that roughly tracks Moore's law.I'd rather see something like django-ratelimit merged to core. It's more general purpose so users can reuse and customize it, and we could potentially use it for other features in Django too.
--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/7720e6a7-b214-4602-b576-c0277b60e749o%40googlegroups.com.
- We should focus this on usernames and ignore IP addresses, as most sites are behind a reverse proxy of some kind and no one handles X-Forwarded-For headers right (even Heroku doesn't care — when I reported they were vulnerable to XFF injection, their security team [or, more accurately, their subcontractors] didn't understand the report, even after several rounds of explanation and a working proof of concept)
Someone opens the login page. In addition to the visible fields username and password and the hidden field csrftoken we add another hidden field. This field contains the earliest (server-)timestamp a user might login, and lies in the near future, for instance now() + timedelta(seconds=5). That value is cryptographically signed.
In addition to this, we disable the submit button and add a small Javascript function which sets an interval corresponding to the mandatory login delay. After that interval expired, the submit button is enabled again.
A malicious client who bypasses the disabled button and attempts to submit the login for, will receive a HTTP response with an error code > 400.
What are the advantages?
- Django doesn't have to store any state of users and/or IP addresses attempting to log in
--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/b64d44a3-c7dd-4f9a-bf4f-1b8e9818fb64n%40googlegroups.com.