Allow more fine-grained throttling of login attempts
In addition to the 5 attempts every 5 minutes rule, add some long
term rules. Its extraordinarily unlikely that a non-malicious person would
use the wrong password 150 times in a row, so add a rule that you
can't have 150 login fails in a row in 48 hours all from the same
IP address. Also add the ability to set throttles across all IPs, but
do not set any of these types by default (There is an unclear risk/benefit
tradeoff between making it easy to lock someone out of their
account in a DoS attack, and preventing brute-forcing)
Bug: T122164
Change-Id: I5c279906936ef3991a42fc21325c3ffd4a200493
dépôts / lhc / web / wiklou.git / commit