---
title: Implement Brute-force Protection
impact: MEDIUM
impactDescription: prevents password guessing attacks
tags: brute-force, rate-limiting, authentication, security, csharp
---

## Implement Brute-force Protection

Prevent automated password guessing by implementing rate limiting or account lockout policies.

**Incorrect (no limit):**

```csharp
[HttpPost]
public async Task<IActionResult> Login(LoginModel model)
{
    var result = await _signInManager.PasswordSignInAsync(model.Email, model.Password, false, false);
    // lockoutOnFailure is false = unlimited attempts
}
```

**Correct (lockout enabled):**

```csharp
// 1. Enable Lockout in Startup
services.AddDefaultIdentity<IdentityUser>(options => 
{
    options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(15);
    options.Lockout.MaxFailedAccessAttempts = 5;
    options.Lockout.AllowedForNewUsers = true;
});

// 2. Use it in Login
[HttpPost]
public async Task<IActionResult> Login(LoginModel model)
{
    // lockoutOnFailure: true
    var result = await _signInManager.PasswordSignInAsync(model.Email, model.Password, false, lockoutOnFailure: true);
    
    if (result.IsLockedOut)
    {
        return BadRequest("Account locked out");
    }
}
```

**Tools:** ASP.NET Identity, AspNetCoreRateLimit 
