I have an immediate interest in this discussion. One of my company's Django apps was recently subjected to an external risk assessment team audit. They found the fact that three invalid password attempts didn't lock out the user to be completely unacceptable.
Granted, this is something that I should have applied myself, and if it were automatically part of Django it would frustrate many developers because it would inconvenience their users. However, considering it's an OWASP concern, and likely a wheel which will be reinvented repeatedly, I would like to see it in Django. I am willing to put my time into the effort. If Rohit and his team end up taking on the project I will coordinate with them to see how I can help. It seems that any implementation of this would require another value for settings.py, and I know that's something not done lightly. Also, the thread referred to above discusses throttling, whereas the "recommendation" provided to us by the auditors was user lockout requiring administrator activity (human intervention) to unlock. So the next question is whether the core dev team is interested in discussing configurable lockout (number of attempts and human intervention or timeout to release the lock), throttling, or both. Then, how to best go about it. Incidentally, I'll be at PyCon if anyone wants to get together after hours to work on this during the main days (I won't be at the sprints). Shawn -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
