I have created a login module on my website. I was able to deal with simple Brute Force attacks since I can identify the user based on username/email and throttle their login based on failed login attempts per user account. But when it comes to user-enumerated brute force attacks, identifying the user becomes pretty hard. Throttling the login based on failed attempts per IP address might not work well and annoy the users connected to internet through a local network since they'll have same external IP address, as they might face throttle due to failed attempts made by someone else on the network.
Is there any way to uniquely identify such users?
Aucun commentaire:
Enregistrer un commentaire