I am trying to prevent username/password enumeration, brute forcing. Do
you have any experience with using Auth0?
---
On 2021-12-09 04:46 PM, lyrics.sandfish335 via Upstate Carolina Linux
Users Group wrote:
> I'm not clear your goal. You mention login screen. Is this for
> security (prevent username/password enumeration, brute forcing) or is
> this for some sort of sign-up form and you want to prevent spam bots?
>
> If the former then it depends on your toolset but you might be able to
> integrate with the systems fail2ban facility. For example here is an
> article [1] for doing that in Rails. Obviously apply the same concept
> with whatever framework you are using.
>
> Another option for login is to go with a commercial provider that will
> implement abuse prevention for you. For example something like Auth0
> [2]. Not only does this give you abuse prevention but it also gives
> you all sorts of nice features such as social logins, OAuth-based
> login, etc. Assuming you have less than 7K users it doesn't even cost
> anything (if you have more the cost is minor for what you get).
>
> OTOH, if you are trying to prevent spam bots you don't need anything
> complicated. Just something that is unique enough to fool the bots.
> Some examples:
>
> * Include an field made not visible by CSS. Call it something like
> "username" even though you don't use that name yourself when
> processing the form. Real users will not fill it in because they
> cannot see it. Bots will generally try to fill everything in to pass
> validation. If the submission includes a value then reject the login.
>
> * Use JavaScript to calculate some value. Maybe a hash of the login
>
https://groups.google.com/d/msgid/uclug/73e70f92c706ee545ae1120f741f95f5%40mailer.me
> [3].
>
>
> Links:
> ------
> [1]
https://jkraemer.net/2015/09/fail2ban-with-devise-based-rails-apps
> [2]
https://auth0.com/
> [3]
>
https://groups.google.com/d/msgid/uclug/73e70f92c706ee545ae1120f741f95f5%40mailer.me?utm_medium=email&utm_source=footer