Lock out users after too many failed login attempts

Question

I'm looking for the most elegant way to lock a Django user account after several failed login attempts.

"What have I tried?":

I have looked unsuccessfully for similar questions on SO (If this question is a dup please, post a comment to delete this one).

At the moment I'm looking for other developers' experiences. I would prefer not to talk about what I've tried in order to not condition the answers.

As additional information, the app doesn't have UserProfile enabled (but, of course, I can enable it if it's worth it).

Answer 1

Take a look at django-axes or django-brutebuster

Answer 2

We used django-lockout and it worked really well

UPDATE: django-lockout's last release was 2011: https://pypi.org/project/django-lockout/. The Github project does not exist anymore (404).

Answer 3

One simple solution would be to create a variable in the User Profile that is initialy 0 and increased by 1 every time the user unsuccessfully tries to login. If this variable reaches a certain threshold(which is checked every time the user tries to login), the user account can be suspended. Of course when the user does succesfully login, the variable must be set back to 0.

Answer 4

Create model called "failed_logins" with two fields, a "User" field/foreign key and a "Timestamp" field.

When a user successfully logs in, delete all "failed_logins" entries for that user.

When a user unsuccessfully logs in, create an entry in "failed_logins" for that user with the current timestamp.

On every login attempt for a given user, BEFORE checking to see if password is correct/incorrect:

• run a query deleting all "failed_logins" entries older than 15 minutes (or w/e time period).

• run a query checking the count of entries in failed_logins for the user attempting to login. If it's 5, kill the login attempt, notifying the user they have been locked out of their account and to try back in a little while.

Result: Users are locked out after 5 failed login attempts for a short while.