Throttling brute force login attacks in Django

python django security brute-force
Joe Mornin picture Joe Mornin · Jul 13, 2012 · Viewed 15k times · Source

Are there generally accepted tactics for protecting Django applications against this kind of attack?

Answer

Simeon Visser picture Simeon Visser · Jul 13, 2012

You can:

  • Keep track of the failed login attempts and block the attacker after 3 attempts.
  • If you don't want to block then you can log it and present a CAPTCHA to make it more difficult in future attempts.
  • You can also increase the time between login attempts after eached failed attempt. For example, 10 seconds, 30 seconds, 1 minute, 5 minutes, et cetera. This will spoil the fun pretty quickly for the attacker.
  • Of course, choose a secure password as that will keep the attacker guessing.

Related questions

What's the purpose of Django setting ‘SECRET_KEY’?

I did a few google searches and checked out the docs ( https://docs.djangoproject.com/en/dev/ref/settings/#secret-key ), but I was looking for a more in-depth explanation of this, and why it is required. For example, what could …

Read More
How can I prevent SQL injection in PYTHON-DJANGO?

If a lamer input is inserted into an SQL query directly, the application becomes vulnerable to SQL injection, like in the following example: dinossauro = request.GET['username'] sql = "SELECT * FROM user_contacts WHERE username = '%s';" % username To drop the …

Read More
Python/Django - Avoid saving passwords in source code

I use Python and Django to create web applications, which we store in source control. The way Django is normally set up, the passwords are in plain text within the settings.py file. Storing my password in plain text would …

Read More