Problem
Currently, anyone can attempt to brute-force user passwords almost effortlessly, even without advanced technical knowledge.
Proposed Feature
Introduce a setting that activates after a configurable number of failed login attempts. Users could choose to:
- Block all further login attempts and automatically send a password reset email
- Temporarily block login for a set duration (for example, 10 minutes)
Implementation
Once the failed-attempt threshold is reached, the system applies the user’s chosen block option. The counter resets upon successful login or after completing a password reset.
Benefits
This approach makes large-scale brute-force attacks impractical and takes a proactive step toward stronger account security.
~Rewritten with the help of AI for better formatting and clarity.~
I believe Lemmy has rate limits for requests by default, so it’s not as easy to brute force a password as you suggest. But something like this is always a good feature for additional security.
I think forcing the user to reset their password because someone is trying to guess their password probably doesn’t make sense unless they got it right. It would be annoying if a troll did this to your account.
Enable 2fa
Yes, but also additional security is good too. And you know it’s impossible to convince everyone to use 2FA, unfortunately.
2FA cannot be applied in mass, while what I am talking about can.
Overall, this is as I said a proactive step to ensure the whole Lemmyverse stay secure.
