Aravind Gottipati wrote:
Hi,
The current password policy module can lock folks out after some configurable number of failed attempts. The module currently does not differentiate between a user failing with the same wrong password a bunch of times versus a crack attempt where someone tries multiple different wrong passwords. Are there any modules that take into account if the same password is being used a bunch of times or if multiple different passwords are failing?
No.
Could this be a useful feature worth requesting (if it doesn't exist already)?
What makes you think a legitimate user who forgot their password won't try multiple times with different passwords? I.e., what makes you think you can distinguish a cracker from a legit user this way?