Temporarily lock accounts after too many bad passwords
Bug #843561 reported by
François Marier
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Mahara |
Fix Released
|
Medium
|
Melissa Draper | ||
Bug Description
To deter brute-forcing of passwords (and prevent ensuing DoS attacks), we should temporarily lock accounts once they've had too many (4? 5?) bad passwords.
Considerations:
- This should be as fast as possible and ideally not use extra queries. In a DoS setting, we want brute-forcers to add as little load as possible on the server.
- To avoid adding a "locked until" field to the user table which needs to be updated constantly, maybe we should just unlock all users every time cron runs (every 5 min?) and tell users they've been locked out for up to 5 min.
This will be particularly helpful once we fix bug 547469.
| Changed in mahara: | |
| importance: | Undecided → Medium |
| status: | New → Triaged |
| milestone: | none → 1.5.0 |
Revision history for this message
| Melissa Draper (melissa) wrote | #1 |
| Changed in mahara: | |
| status: | Triaged → In Progress |
| assignee: | nobody → Melissa Draper (melissa) |
Revision history for this message
| Mahara Bot (dev-mahara) wrote A change has been merged | #2 |
| Changed in mahara: | |
| status: | In Progress → Fix Committed |
| tags: |
added: passwords removed: password |
| tags: | added: newfeature |
| Changed in mahara: | |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.
https:/