HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Brute force password attack

I recently downloaded and installed Vanilla Forums on my laptop to test before I upload it to my website. During testing I noticed that there is no protection against brute force password attacks. The login system only blocks password attempts that are faster than 1 second (as far as I know).

So if a hacker writes a script that attempts to log into an account every 1.5 seconds, they can try 57,600 different passwords in one day or 403,200 in a week. That’s quite scary to me or am I missing something?

Would it not be better to have a reCAPTCHA pop up after a few failed login attempts or maybe make waiting time longer between failed log in attempts?


  • Options
    LincLinc Detroit Admin


    By applying 1/sec rate limiting, we've reduced the ability of a brute force to be 1/10,000th the speed of a Class A (slowest) attack on that page.

    That puts a terrible password of 6 lowercase letters at 9.7 years to brute force.

    I believe our current safeguard is sufficient.

  • Options
    vrijvlindervrijvlinder Papillon-Sauvage MVP

    @Linc said:
    I believe our current safeguard is sufficient.

    You should change the password for your ATM .... :proud:

  • Options

    Thanks for your reply. The link you posted is very interesting. To be honest I still think the current login system is weak, because it can be attacked by a script that runs through thousands of common passwords.

    Some people use easy passwords and they use the same password for everything. So if a hacker gains a person’s forum password, they maybe able to gain access to their email address, financial stuff, etc.

    I think the login system could be much improved with reCAPTCHA after maybe 5 failed login attempts. I don’t think it would affect usability much either. If you can’t remember your password after 5 failed login attempts, it would probably be easier to just reset your password than try another 20 times.

  • Options

    there is nothign stopping you adding brute force protection. There is already plug ins


    You can also create your own.

    grep is your friend.

  • Options
    LincLinc Detroit Admin

    I don't recommend plugin solutions for problems created by gut reactions and feelings rather than critical thinking. It contributes to FUD.

Sign In or Register to comment.