LBPUnion
Enhanced Login Security
The Lighthouse website is currently vulnerable to brute force password attacks. This is an especially critical issue for admin and moderator (once this role is implemented) users who have control over the platform.
Before a larger beta can be launched, the following or equivalents of the following may need to be implemented,
- [ ] Password attempt diminishing returns. Every failed sign in attempt makes the user wait longer before they can try to enter their password again. If certain number of attempts fail, require user to password reset via email.
- [x] Verify account / password reset via email.
- [ ] option to enable 2FA.
- [x] Some kind of CAPTCHA challenge to weed out bots. I think Shadow suggested ReCAPTCHA a while back (#143)
Oh, apparently linking a pull request will make it close instead of marking the task as complete. Fun.
Do any 2FA services have API available to make this possible fairly easily? I imagine services like Google or Microsoft Authenticator make this possible with 3rd party integrations.
require user to password reset via email
I have a feeling that this can be abused to do a pseudo-DoS attack on a user
require user to password reset via email
I have a feeling that this can be abused to do a pseudo-DoS attack on a user
Good thinking. Beacon's rate limit should stop that from happening, but native rate limit in the code may help. I don't know which is better, or if both can be used.
If we already have server rate limiting on Beacon, are password diminishing returns necessary? Brute force attempts would theoretically already be filtered.
It's probably alright to not have that last feature, so I will go ahead and close this