Add Limitations section in the auth documentation
|Reported by:||Owned by:||nobody|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
In http://docs.djangoproject.com/en/dev/topics/auth/, add a "Limitations" section. Specifically include the following:
Brute force attacks
If you use Django's out-of-the-box authentication support be aware that your application is likely vulnerable to brute force attacks (link: http://www.owasp.org/index.php/Brute_force_attack) against individual user accounts. In the absence of external defensive technologies such as web application firewalls, you will need to write your own defense or use third-party code such as this rate limiting cache decorator (link: https://github.com/simonw/ratelimitcache/).
I'm not sure what the policy is towards suggesting third party code in the documentation. If it's not possible to point directly to the ratelimit cache then maybe a general description of a defense (i.e. throttle authentication attempts) is more apt.