There are many libraries available for it like Django-axes, Django-defender, Django-ratelimit, these libraries mentioned all do the same thing (with a few differences between them). You can choose the one which best suits your needs. If you are using DRF, then you don’t need an additional library (axes, ratelimit, etc.) because DRF already has the … Read more
Using the Stream API (Java 8+) boolean allEqual = list.stream().distinct().limit(2).count() <= 1 or boolean allEqual = list.isEmpty() || list.stream().allMatch(list.get(0)::equals); Using a Set: boolean allEqual = new HashSet<String>(tempList).size() <= 1; Using a loop: boolean allEqual = true; for (String s : list) { if(!s.equals(list.get(0))) allEqual = false; } Issues with OP’s code Two issues with your … Read more
I think database-persisted short lockout period for the given account (1-5 minutes) is the only way to handle this. Each userid in your database contains a timeOfLastFailedLogin and numberOfFailedAttempts. When numbeOfFailedAttempts > X you lockout for some minutes. This means you’re locking the userid in question for some time, but not permanently. It also means … Read more
In your case, breaking the hash algorithm is equivalent to finding a collision in the hash algorithm. That means you don’t need to find the password itself (which would be a preimage attack), you just need to find an output of the hash function that is equal to the hash of a valid password (thus … Read more
Hiding a salt is unnecessary. A different salt should be used for every hash. In practice, this is easy to achieve by getting 8 or more bytes from cryptographic quality random number generator. From a previous answer of mine: Salt helps to thwart pre-computed dictionary attacks. Suppose an attacker has a list of likely passwords. … Read more
Combining methods 3 and 4 from the original post into a kind of ‘fuzzy’ or dynamic whitelist, and then – and here’s the trick – not blocking non-whitelisted IPs, just throttling them to hell and back. Note that this measure is only meant to thwart this very specific type of attack. In practice, of course, … Read more