Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Try Vanilla Forums Cloud product
Vanilla 2.6 is here! It includes security fixes and requires PHP 7.0. We have therefore ALSO released Vanilla 2.5.2 with security patches if you are still on PHP 5.6 to give you additional time to upgrade.

Brute force password attack

I recently downloaded and installed Vanilla Forums on my laptop to test before I upload it to my website. During testing I noticed that there is no protection against brute force password attacks. The login system only blocks password attempts that are faster than 1 second (as far as I know).

So if a hacker writes a script that attempts to log into an account every 1.5 seconds, they can try 57,600 different passwords in one day or 403,200 in a week. That’s quite scary to me or am I missing something?

Would it not be better to have a reCAPTCHA pop up after a few failed login attempts or maybe make waiting time longer between failed log in attempts?


Sign In or Register to comment.