A brute force attack (BFA) is when an attacker makes thousands of attempts on an HTTP resource in an attempt to guess common values for an input. For example, guessing a username and password on a login page. In most cases there are many combinations of usernames and passwords, so the attacker needs to be able to execute as many combinations as possible per second to find matches (i.e. 3-5k+).
For certain apps, the user account should be locked after a number of failed attempts so that the user's data is protected if the failures are from an attacker. There are app scenarios where locking a user account would disrupt a legitimate user's ability to use their own account, so it's up to the app owner if they wish to enable this feature. Either way, it's important that the API provide the means to lock user accounts after a specific number of failed login attempts.
Requirements:
Store a 'enabled' true/false property in an external property config so that this feature can be turned on/off for any given server and any time.
Store a 'max login attempts' property in an external property config so that each app can determine the count that is appropriate
Create an event listener or http filter that monitors failed FORM login attempts
Create an event listener or http filter that monitors failed BASIC AUTH login attempts
Lock user feature approach
If the feature is enabled (based on external config property), then execute
Lookup the User by the username provided
If the User exists, then increment the number of failed login attempts (the User should have a "failedLoginAttempts" property stored on the User object
Check if the user's new failedLoginAttempts > max failed login attempts (from property config), then lock the user account (user.isLocked = true or user.isEnabled = false)
The user should have a locking or disable feature that would prevent further login
The user should be able to complete the forgot password process to unlock/enable their account
A brute force attack (BFA) is when an attacker makes thousands of attempts on an HTTP resource in an attempt to guess common values for an input. For example, guessing a username and password on a login page. In most cases there are many combinations of usernames and passwords, so the attacker needs to be able to execute as many combinations as possible per second to find matches (i.e. 3-5k+).
For certain apps, the user account should be locked after a number of failed attempts so that the user's data is protected if the failures are from an attacker. There are app scenarios where locking a user account would disrupt a legitimate user's ability to use their own account, so it's up to the app owner if they wish to enable this feature. Either way, it's important that the API provide the means to lock user accounts after a specific number of failed login attempts.
Requirements: