How to set the maximum number of failed login attempts?

[datamweb]

I was looking for an option here to set a limit on the maximum number of failed login attempts($maxAllowefailedLogin).
I did not see a variable for this.

For example, if the user tries unsuccessfully more than 5 times, his account will be blocked for a certain period of time ($periodAlloweAgainLogin) and he will be able to log in again after the desired time.
Is this not considered?
Sorry for asking too many questions.

[kenjis]

The feature is not implemented.

[lonnieezell]

My original thought is that CodeIgniter's throttler would do the job. It seemed to match the best practices I was reading about at the time, since locking users out of accounts ends up being a very frustrating experience for people who legitimately cannot remember their password. Instead, I'd give the throttler a high cost for the login/register pages to keep it usable but make it slow enough that people are less likely to continue a brute force attempt.

[kenjis]

Personally, I think it is better to provide the feature to prevent such an attack on the login function by default.
Using throttler is fine.

[lonnieezell]

I created a PR for this.

[lonnieezell]

You're right it won't be, and it's not designed for that. Things like 5 fails in 30 minutes are a nightmare for many legitimate users who forgot which of the 1/2 dozen passwords they rotate through they use on this site, or what variation of it the might have used. They get locked out, get frustrated, sometimes leave your site if it's not important enough. That's why lockouts aren't recommended anymore.

In cases where you're get a real attack like you describe, that becomes a DOS attack as the sheer number of requests lock up your machine, if you're running a nominal site and not a giant app. In those cases something at the server or DNS level is better handled for that - like Cloudflare's DDOS protections, etc.

[kenjis]

PCI DSS requires 10 fails in 30 minutes.

8.3.4 Invalid authentication attempts are limited by:
• Locking out the user ID after not more than 10
attempts.
• Setting the lockout duration to a minimum of 30
minutes or until the user’s identity is confirmed.
https://www.pcisecuritystandards.org/documents/PCI-DSS-v4_0.pdf

[lonnieezell]

PCI compliance is not what this library is aimed at - it's much more strict than the vast majority of websites will ever need. From my experience, most websites that take payments will never need to meet most of those PCI requirements, anyway, since they redirect to third-party processors, who are the ones responsible for meeting the PCI requirements.

It's not possible that any auth solution can work for all cases, and that's why Jim and Narf originally said they didn't want to put out an auth package, but I'm a believer that an auth package can meet 80% of use cases, which makes it worthwhile. If someone truly wanted to lockouts, they could implement that in the controllers or a filter pretty easily on top of this package.

[MGatner]

I think such a solution would not be hard to make and be configurable via the Config file (toggle on/off, set number of attempts, set lock duration). I also don't see this as necessary for version 1 release, so maybe we put it down as a future feature request?

[kenjis]

I don't say we need to include more strict filter in this package.

The subject is How to set the maximum number of failed login attempts?,
so I showed more information how to implement.

[datamweb]

Thanks to everyone.