Module: Authlogic::Session::BruteForceProtection
- Included in:
- Base
- Defined in:
- lib/authlogic/session/brute_force_protection.rb
Overview
A brute force attacks is executed by hammering a login with as many password combinations as possible, until one works. A brute force attacked is generally combated with a slow hasing algorithm such as BCrypt. You can increase the cost, which makes the hash generation slower, and ultimately increases the time it takes to execute a brute force attack. Just to put this into perspective, if a hacker was to gain access to your server and execute a brute force attack locally, meaning there is no network lag, it would probably take decades to complete. Now throw in network lag and it would take MUCH longer.
But for those that are extra paranoid and can’t get enough protection, why not stop them as soon as you realize something isn’t right? That’s what this module is all about. By default the consecutive_failed_logins_limit configuration option is set to 50, if someone consecutively fails to login after 50 attempts their account will be suspended. This is a very liberal number and at this point it should be obvious that something is not right. If you wish to lower this number just set the configuration to a lower number:
class UserSession < Authlogic::Session::Base
consecutive_failed_logins_limit 10
end
Defined Under Namespace
Modules: Config, InstanceMethods
Class Method Summary collapse
Class Method Details
.included(klass) ⇒ Object
18 19 20 21 22 23 24 25 |
# File 'lib/authlogic/session/brute_force_protection.rb', line 18 def self.included(klass) klass.class_eval do extend Config include InstanceMethods validate :reset_failed_login_count, :if => :reset_failed_login_count? validate :validate_failed_logins, :if => :being_brute_force_protected? end end |