echoplexus
echoplexus copied to clipboard
Backoff for failed /password attempts
Some time limit should need to elapse before a particular user can attempt to identify again after failing. Initially I stated exponential backoff, but now I'm unsure.
Care should be taken not to end up in a state where a user is locked out of a channel or from identifying their nick because someone is spamming failed /identify or /password attempts
Might be able to utilize the same mechanism that the spam rate limiter uses
-
/password
a rate of 3 attempts per 5 minutes sounds reasonable -
/identify
a rate of 10 attempts per 5 minutes sounds reasonable
make the rate configurable in config.js