Temporarily lock accounts after too many bad passwords
Bug #843561 reported by
François Marier
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Medium
|
Melissa Draper |
Bug Description
To deter brute-forcing of passwords (and prevent ensuing DoS attacks), we should temporarily lock accounts once they've had too many (4? 5?) bad passwords.
Considerations:
- This should be as fast as possible and ideally not use extra queries. In a DoS setting, we want brute-forcers to add as little load as possible on the server.
- To avoid adding a "locked until" field to the user table which needs to be updated constantly, maybe we should just unlock all users every time cron runs (every 5 min?) and tell users they've been locked out for up to 5 min.
This will be particularly helpful once we fix bug 547469.
Changed in mahara: | |
importance: | Undecided → Medium |
status: | New → Triaged |
milestone: | none → 1.5.0 |
Changed in mahara: | |
status: | Triaged → In Progress |
assignee: | nobody → Melissa Draper (melissa) |
Changed in mahara: | |
status: | In Progress → Fix Committed |
tags: |
added: passwords removed: password |
tags: | added: newfeature |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
https:/ /reviews. mahara. org/#change, 679 has been pushed to review for this.