hCaptcha on Login Forms
-
Putting it out there the possibility of Google ReCaptcha or hCaptcha to prevent bots brute forcing login forms.
-
Putting it out there the possibility of Google ReCaptcha or hCaptcha to prevent bots brute forcing login forms.
@dylightful Fail2Ban should already cover this.
-
Putting it out there the possibility of Google ReCaptcha or hCaptcha to prevent bots brute forcing login forms.
@dylightful I think it's a nice idea to add reCAPTCHA / hCaptcha as needed to the page. With that said, as @marcusquinn stated, fail2ban should more or less prevent any brute force attacks. Also the Cloudron has rate limits in place by default (https://docs.cloudron.io/security/#rate-limits) for Cloudron login page. Of course, that can be greatly improved as 10 requests per second per IP is far too high in my opinion, should be more like 10 requests per 5 or 10 minutes or something like that. But that was also requested already too to improve the rate limits to be more secure: https://forum.cloudron.io/post/28271 which @girish has already confirmed is going to be one of the focuses in 6.3.
-
@dylightful Fail2Ban should already cover this.
@marcusquinn It covers it to a degree. Adding a hCaptcha to the login form kills 95% of bots from submitting the form, thus not sending a full authentication request.
-
@dylightful I think it's a nice idea to add reCAPTCHA / hCaptcha as needed to the page. With that said, as @marcusquinn stated, fail2ban should more or less prevent any brute force attacks. Also the Cloudron has rate limits in place by default (https://docs.cloudron.io/security/#rate-limits) for Cloudron login page. Of course, that can be greatly improved as 10 requests per second per IP is far too high in my opinion, should be more like 10 requests per 5 or 10 minutes or something like that. But that was also requested already too to improve the rate limits to be more secure: https://forum.cloudron.io/post/28271 which @girish has already confirmed is going to be one of the focuses in 6.3.
@d19dotca All GREAT suggestions.
-
I hate captchas - although it is perhaps fair game to add one after a number of failed attempts.
As long as there's a minimum password length policy and 2FA enforceable, the rest doesn't keep me awake at night.
-
Complete thread hijacking - but if you want to see if your users are password numpties, stick their email address into here: https://haveibeenpwned.com
Also interesting to see the sort of interests people have from the leaked websites they've sign up to!
