@sgiehl opened this Pull Request on August 4th 2022 Member

Description:

In theory is would currently be possible to brute force the reset password token after a password reset was triggered.
Due to the length of the reset token it would take ages to guess the token correctly.

Performing the brute force detection upon a failed try won't hurt, but block the users after several tries and thus makes the process a bit more secure.

Note: I've avoided to also pass the provided login to the failed attempt, so only the IP address will be locked out.

Review

This Pull Request was closed on August 5th 2022
Powered by GitHub Issue Mirror