echoplexus icon indicating copy to clipboard operation
echoplexus copied to clipboard
verified publisher icon qq99

Backoff for failed /password attempts

Open qq99 opened this issue 12 years ago • 2 comments

Some time limit should need to elapse before a particular user can attempt to identify again after failing. Initially I stated exponential backoff, but now I'm unsure.

Care should be taken not to end up in a state where a user is locked out of a channel or from identifying their nick because someone is spamming failed /identify or /password attempts

qq99 avatar Jun 09 '13 01:06 qq99

Might be able to utilize the same mechanism that the spam rate limiter uses

qq99 avatar Jun 25 '13 21:06 qq99

  • /password a rate of 3 attempts per 5 minutes sounds reasonable
  • /identify a rate of 10 attempts per 5 minutes sounds reasonable

make the rate configurable in config.js

qq99 avatar Jul 09 '13 19:07 qq99