Re: [Django] #36651: Brute-force password attack against inactive users returns distinct error message

Tue, 25 Nov 2025 13:16:30 -0800 

#36651: Brute-force password attack against inactive users returns distinct 
error
message
-------------------------------------+-------------------------------------
     Reporter:  heindrickdumdum0217  |                    Owner:  (none)
         Type:  Bug                  |                   Status:  closed
    Component:  contrib.auth         |                  Version:  5.2
     Severity:  Normal               |               Resolution:  invalid
     Keywords:                       |             Triage Stage:
                                     |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Comment (by Jake Howard):

 The return value for `authenticate` is `User | None` - how would you
 imagine distinguishing between "There's a user here, but they're not
 active" and "There's no user with these credentials"?

 My suggestion would be to not set `is_active`, and instead handle inactive
 users in the login view yourselves. [https://github.com/jazzband/django-
 axes/ django-axes] is a fairly popular library which implements the
 behaviour you're after. If you're not able to use it directly, perhaps it
 can aid in your implementation.

 Checking whether the user is active before their password would allow for
 user enumeration of inactive accounts. A similar vulnerability was fixed
 in [https://www.djangoproject.com/weblog/2024/jul/09/security-releases/
 CVE-2024-38875]. As Jacob mentions above, brute forcing username and
 password is always a vulnerability - all changing the error message does
 is identify whether the previous attempts were valid, which yields no
 additional information.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/36651#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019abcdfe2de-0af04bd4-c954-47ff-8c6e-ce7b185ce698-000000%40eu-central-1.amazonses.com.

Reply via email to