Throttling brute force login attacks in Django

Joe Mornin picture Joe Mornin · Jul 13, 2012 · Viewed 15k times · Source

Are there generally accepted tactics for protecting Django applications against this kind of attack?

Answer

Simeon Visser picture Simeon Visser · Jul 13, 2012

You can:

  • Keep track of the failed login attempts and block the attacker after 3 attempts.
  • If you don't want to block then you can log it and present a CAPTCHA to make it more difficult in future attempts.
  • You can also increase the time between login attempts after eached failed attempt. For example, 10 seconds, 30 seconds, 1 minute, 5 minutes, et cetera. This will spoil the fun pretty quickly for the attacker.
  • Of course, choose a secure password as that will keep the attacker guessing.