Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

  • Sowndar M 38 posts 109 karma points
    Sep 07, 2020 @ 12:29
    Sowndar M

    How to avoid the Bruteforceable Login

    A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works. It is recomended to implementate lockout mechanism in login pages.

    For existing user we used the maxInvalidPasswordAttempts to avoid the unnecessary login attempts

    For non existing user how avoid the login attempt ?

    is there any way to add recaptcha to the umbraco login page?

  • [email protected] 378 posts 1915 karma points MVP 4x c-trib
    Sep 08, 2020 @ 06:49

    Hi Sowndar M,

    thank you for this excellent question. Unfortunately Umbraco does not have something out of the box to prevent this.

    For existing users there is something in place and you must be incredible lucky if you can bruteforce it for existing users.

    But there's nothing that locks out someone who is iterating all kinds of usernames and passwords. But on the other hand that approach won't be really succesfull I guess.

    Your best bet is locking your /umbraco/-environment down on the IP's of your client / users. This can be for example the IP adress of the company, but also a range of IP addresses. See the documentation:

    Hope this helps, although it's probably not the answer you were hoping to get :)


  • Steve Morgan 1274 posts 4191 karma points c-trib
    Sep 08, 2020 @ 08:03
    Steve Morgan


    I'm a little lost - are you saying you want to block attempts if someone is attempting a brute force but not hitting an active user.

    I would have thought this is best handled in hosting. Using something like Cloudflare and having limits on repetitive loads of URLs by the same IP?!


Please Sign in or register to post replies

Write your reply to: