Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Try Vanilla Forums Cloud product
After February 6, this site will no longer have Facebook, Twitter, or OpenID sign-in options. Read our announcement about social media SSO support in 2.8 for more info.

Make sure you have a current, valid email address set in your profile and set a password so you can login without it. If you get locked out after that time, you can choose "Forgot Password" to fix it as long as a valid email is on your account.

Brute force password attack

I recently downloaded and installed Vanilla Forums on my laptop to test before I upload it to my website. During testing I noticed that there is no protection against brute force password attacks. The login system only blocks password attempts that are faster than 1 second (as far as I know).

So if a hacker writes a script that attempts to log into an account every 1.5 seconds, they can try 57,600 different passwords in one day or 403,200 in a week. That’s quite scary to me or am I missing something?

Would it not be better to have a reCAPTCHA pop up after a few failed login attempts or maybe make waiting time longer between failed log in attempts?


Sign In or Register to comment.