mahara-contributors team mailing list archive

[François Marier <francois@xxxxxxxxxx>]

Public bug reported:

To deter brute-forcing of passwords (and prevent ensuing DoS attacks),
we should temporarily lock accounts once they've had too many (4? 5?)
bad passwords.

Considerations:

- This should be as fast as possible and ideally not use extra queries.
In a DoS setting, we want brute-forcers to add as little load as
possible on the server.

- To avoid adding a "locked until" field to the user table which needs
to be updated constantly, maybe we should just unlock all users every
time cron runs (every 5 min?) and tell users they've been locked out for
up to 5 min.

This will be particularly helpful once we fix bug 547469.

** Affects: mahara
     Importance: Medium
         Status: Triaged


** Tags: password

** Changed in: mahara
   Importance: Undecided => Medium

** Changed in: mahara
       Status: New => Triaged

** Changed in: mahara
    Milestone: None => 1.5.0

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/843561

Title:
  Temporarily lock accounts after too many bad passwords

Status in Mahara ePortfolio:
  Triaged

Bug description:
  To deter brute-forcing of passwords (and prevent ensuing DoS attacks),
  we should temporarily lock accounts once they've had too many (4? 5?)
  bad passwords.

  Considerations:

  - This should be as fast as possible and ideally not use extra
  queries. In a DoS setting, we want brute-forcers to add as little load
  as possible on the server.

  - To avoid adding a "locked until" field to the user table which needs
  to be updated constantly, maybe we should just unlock all users every
  time cron runs (every 5 min?) and tell users they've been locked out
  for up to 5 min.

  This will be particularly helpful once we fix bug 547469.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/843561/+subscriptions