Rate limit component for login forms
Tom Graham has recently posted about a component that he’s written that notices when a login form is being brute forced and then adds a captcha element to the form. I really like this idea as it doesn’t inconvenience genuine users at all.
The easiest method of preventing such attacks is to implement some kind of rate limit. Twitter now does this on their login form by adding a CAPTCHA that the user must solve after a number of failed login attempts. The theory behind this is that even if the attacker does manually solve the CAPTCHA it would sufficiently slow them down to make the brute force method unfeasible. I had been doing a similar thing in one of my applications for some time, and eventually decided to move my code into a re-usable component.
He goes on to explain how to use it and how it works and has published the code on github.
I highly recommend checking it out.
