Module: Authlogic::Session::BruteForceProtection

Included in:

Base

Defined in:

lib/authlogic/session/brute_force_protection.rb

Overview

A brute force attacks is executed by hammering a login with as many password combinations as possible, until one works. A brute force attacked is generally combated with a slow hasing algorithm such as BCrypt. You can increase the cost, which makes the hash generation slower, and ultimately increases the time it takes to execute a brute force attack. Just to put this into perspective, if a hacker was to gain access to your server and execute a brute force attack locally, meaning there is no network lag, it would probably take decades to complete. Now throw in network lag and it would take MUCH longer.

But for those that are extra paranoid and can’t get enough protection, why not stop them as soon as you realize something isn’t right? That’s what this module is all about. By default the consecutive_failed_logins_limit configuration option is set to 50, if someone consecutively fails to login after 50 attempts their account will be suspended. This is a very liberal number and at this point it should be obvious that something is not right. If you wish to lower this number just set the configuration to a lower number:

class UserSession < Authlogic::Session::Base
  consecutive_failed_logins_limit 10
end

Defined Under Namespace

Modules: Config, InstanceMethods

Class Method Summary

• .included(klass) ⇒ Object

Class Method Details

.included(klass) ⇒ Object

# File 'lib/authlogic/session/brute_force_protection.rb', line 18

def self.included(klass)
  klass.class_eval do
    extend Config
    include InstanceMethods
    validate :reset_failed_login_count, :if => :reset_failed_login_count?
    validate :validate_failed_logins, :if => :being_brute_force_protected?
  end
end