Hi Zsigmond,
I wanted to clarify the issue we're facing regarding account
security. The primary concern isn't just about enforcing strong
password policies. The real challenge is that if an attacker has a
list of usernames, they can launch a denial of service (DoS) attack.
This happens because our hard lockout mechanism, which is essential to
prevent brute force attacks, locks users out after a certain number of
failed login attempts.
Even with strong passwords, this lockout mechanism is necessary to
protect our server from brute force attacks. However, it also means
that legitimate users can be locked out if an attacker repeatedly
attempts to log in with their usernames.
To mitigate this, implementing a CAPTCHA adds an additional layer of
security. It requires anyone attempting to log in to solve a CAPTCHA,
which significantly increases the computational power needed for an
attacker to carry out a brute force attack. This makes it much harder
for them to succeed.
Could we consider adding this as a future feature? Similar to how we
have a toggle for the register and password reset pages, we could add
a toggle for the login page to enable CAPTCHA or not.
I hope this clarifies the situation.
Best regards,
Sayfullah
