mahara-contributors team mailing list archive

Thread
Date

[Bug 843561] Re: Temporarily lock accounts after too many bad passwords

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: François Marier <francois@xxxxxxxxxx>
Date: Wed, 23 Nov 2011 02:37:51 -0000
Reply-to: Bug 843561 <843561@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Tags removed: password
** Tags added: passwords

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/843561

Title:
  Temporarily lock accounts after too many bad passwords

Status in Mahara ePortfolio:
  Fix Committed

Bug description:
  To deter brute-forcing of passwords (and prevent ensuing DoS attacks),
  we should temporarily lock accounts once they've had too many (4? 5?)
  bad passwords.

  Considerations:

  - This should be as fast as possible and ideally not use extra
  queries. In a DoS setting, we want brute-forcers to add as little load
  as possible on the server.

  - To avoid adding a "locked until" field to the user table which needs
  to be updated constantly, maybe we should just unlock all users every
  time cron runs (every 5 min?) and tell users they've been locked out
  for up to 5 min.

  This will be particularly helpful once we fix bug 547469.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/843561/+subscriptions

References

[Bug 843561] [NEW] Temporarily lock accounts after too many bad passwords
From: François Marier, 2011-09-07