How are you all dealing with potential hacks into login attempts?
Surely you’re all not allowing users to try every email and password constantly or you’d be at risk of brute hacks. I’ve implemented session tracking that’ll block a user if more than 3 failed attempts are made regardless of whether the account exists or not.
Issue: They can incognito mode or clear session data
I’m looking at implementing IP address limiting but I’m interested to see how others have implemented it as it’s quite annoying when you try 3 different emails and then get locked out. I wanted it so that it resets the counter per email but I didn’t want hackers to be able to change email to reset the counter then go back to the one they’re trying to hack.
I am curious to hear our security specialists weigh in on this @georgecollier@flusk
I would guess that the large majority (possibly even Bubble itself) are not doing anything specific for this and add on 2FA, but it would be good to get more insight from others. Is everyone using Captcha here?
Sure you can, because you should also have a password policy that requires numbers, special characters, capital letters, and a minimum of 8 characters, which make a brute force infeasible.
I’m sure Bubble has some rate limiting behind the scenes, but you can also:
I moved to passcode logins for my main site. Users get an email or text with a passcode. I used to use social sign-on but just wanted something simple without having to worry about API changes and other maintenance/hacks.
I guess I’m overthinking it! I’ll keep it simple. Thanks!
@agiledood great idea. I have a pass code login system but the user chooses their 5 digit passcode and it’s stored in the current user database which I can imagine @georgecollier will tell me it’s a bad idea.
