I want to build a Component / Plugin Add on to prevent brute force login attempts but what is the best way?
Seems there are various ways each with its own pros / cons.
Prevent attempt by blocking the IP address the request is coming from after "x" amount of tries. (IP can be changed easily / proxy'd / spoofed so not much of a deterrent there)
Lock account by username / email but then any third party can enter someone@somewhere.co (if the email / username exists) and lock out the actual user.
(Sure the account holder will get an email to reset password or what not)
Adding captch to login just feels wrong. So not even interested in that.
Any ideas of what you think is the best route to go by?
No comments:
Post a Comment