mahara-contributors team mailing list archive

[Mahara Bot <843561@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://reviews.mahara.org/679
Committed: http://gitorious.org/mahara/mahara/commit/51c4d530a7f402887cefd51f621188af904a2721
Submitter: Francois Marier (francois@xxxxxxxxxxxxxxx)
Branch:    master

commit 51c4d530a7f402887cefd51f621188af904a2721
Author: Melissa Draper <melissa@xxxxxxxxxxxxxxx>
Date:   Fri Sep 9 17:58:58 2011 +1200

    Add a lock for accounts after 5 tries (bug #843561)
    
    To deter brute-forcing of passwords (and prevent ensuing DoS attacks),
    this patch temporarily lock accounts after 5 tries, and every 5 minutes
    counts above 0 get reset.
    
    Change-Id: Iee9739a69b95b906b6f485f7d90041b50968dcc6
    Signed-off-by: Melissa Draper <melissa@xxxxxxxxxxxxxxx>

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/843561

Title:
  Temporarily lock accounts after too many bad passwords

Status in Mahara ePortfolio:
  Fix Committed

Bug description:
  To deter brute-forcing of passwords (and prevent ensuing DoS attacks),
  we should temporarily lock accounts once they've had too many (4? 5?)
  bad passwords.

  Considerations:

  - This should be as fast as possible and ideally not use extra
  queries. In a DoS setting, we want brute-forcers to add as little load
  as possible on the server.

  - To avoid adding a "locked until" field to the user table which needs
  to be updated constantly, maybe we should just unlock all users every
  time cron runs (every 5 min?) and tell users they've been locked out
  for up to 5 min.

  This will be particularly helpful once we fix bug 547469.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/843561/+subscriptions