---
title: Brute Force Protection
impact: HIGH
impactDescription: prevents account takeover through automated credential stuffing and password guessing
tags: security, brute-force, rate-limiting, authentication
---

## Brute Force Protection

Implement rate limiting and account lockout mechanisms to protect against brute force attacks on login and other sensitive endpoints.

**Incorrect (not rate limited):**

```ruby
def login
  user = User.authenticate(params[:email], params[:password])
  # No limit on how many times this can be called
end
```

**Correct (using Rack Attack):**

```ruby
# config/initializers/rack_attack.rb
Rack::Attack.throttle('limit logins per email', limit: 5, period: 60.seconds) do |req|
  if req.path == '/login' && req.post?
    req.params['email'].to_s.downcase
  end
end
```

**Tools:** Rack Attack, Devise Lockable, Brakeman
---