Throttling brute force login attacks in Django [closed]

Answer 1

There are many libraries available for it like Django-axes, Django-defender, Django-ratelimit, these libraries mentioned all do the same thing (with a few differences between them). You can choose the one which best suits your needs.

If you are using DRF, then you don't need an additional library (axes, ratelimit, etc.) because DRF already has the throttling functionality build in.

You can check this question :**How to prevent brute force attack in Django Rest + Using Django Rest Throttling **

Answer 2

You can:

• Keep track of the failed login attempts and block the attacker after 3 attempts.
• If you don't want to block then you can log it and present a CAPTCHA to make it more difficult in future attempts.
• You can also increase the time between login attempts after eached failed attempt. For example, 10 seconds, 30 seconds, 1 minute, 5 minutes, et cetera. This will spoil the fun pretty quickly for the attacker.
• Of course, choose a secure password as that will keep the attacker guessing.

Answer 3

As this question was asked ~7 years ago, perhaps some more recent information might be helpful.

Implementing Google reCAPTCHA v3 might be better than blindly throttling all traffic. It can tell if someone is just hammering the password and will block them accordingly. If someone looks like a human but is just getting their password wrong, it won't block them as quickly. Google knows more about the www then any one of us, so might as well leverage that.