Lock out users after too many failed login attempts

We used django-lockout and it worked really well

UPDATE: django-lockout's last release was 2011: https://pypi.org/project/django-lockout/. The Github project does not exist anymore (404).


One simple solution would be to create a variable in the User Profile that is initialy 0 and increased by 1 every time the user unsuccessfully tries to login. If this variable reaches a certain threshold(which is checked every time the user tries to login), the user account can be suspended. Of course when the user does succesfully login, the variable must be set back to 0.


Create model called "failed_logins" with two fields, a "User" field/foreign key and a "Timestamp" field.

When a user successfully logs in, delete all "failed_logins" entries for that user.

When a user unsuccessfully logs in, create an entry in "failed_logins" for that user with the current timestamp.

On every login attempt for a given user, BEFORE checking to see if password is correct/incorrect:

  • run a query deleting all "failed_logins" entries older than 15 minutes (or w/e time period).

  • run a query checking the count of entries in failed_logins for the user attempting to login. If it's 5, kill the login attempt, notifying the user they have been locked out of their account and to try back in a little while.

Result: Users are locked out after 5 failed login attempts for a short while.


Take a look at django-axes or django-brutebuster