Problem
Currently, anyone can attempt to brute-force user passwords almost effortlessly, even without advanced technical knowledge.
Proposed Feature
Introduce a setting that activates after a configurable number of failed login attempts. Users could choose to:
- Block all further login attempts and automatically send a password reset email
- Temporarily block login for a set duration (for example, 10 minutes)
Implementation
Once the failed-attempt threshold is reached, the system applies the user’s chosen block option. The counter resets upon successful login or after completing a password reset.
Benefits
This approach makes large-scale brute-force attacks impractical and takes a proactive step toward stronger account security.
~Rewritten with the help of AI for better formatting and clarity.~
I believe Lemmy has rate limits for requests by default, so it’s not as easy to brute force a password as you suggest. But something like this is always a good feature for additional security.
I think forcing the user to reset their password because someone is trying to guess their password probably doesn’t make sense unless they got it right. It would be annoying if a troll did this to your account.