Hello Everyone,
I noticed that Django's contrib.auth doesn't provide a mechanism for
detecting a password brute force attack. This is necessary for a
couple projects I'm working so I have to implement some kind of
solution and would really like to do it in such a way that it could
get contributed back to the community. I'd like to propose possible
two variants to the way that system works and would appreciate
feedback.
The first option is the more user customizable one, I propose a new
signal (possibly called LoginAttempt) which User.check_password()
would fire before returning so that users could implement their own
logging and lockout policies. This is likely what I will implement
first so that our internal implementation doesn't interfere with
future general implementations.
The second option, which is much more thorough, would add a
LoginAttemptLogEntry model which would look something like this:
class LoginAttemptLogEntry(models.Model):
user = models.ForeignKey(User, null=True)
datetime = models.DateTime(auto_now_add=True)
success = models.BooleanField()
Then either ModelBackend.authenticate() or User.check_password() would
log each login attempt using the LoginAttemptLogEntry. Any user's
account which had more than N (configurable in settings, default to
5?) consecutive unsuccessful login attempts would get locked. A
successful password reset would then re-enable the account.
I'd welcome any feedback, particularly from owners/committers of
contrib.auth.
Thanks,
Tom
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
