Password Lockout Security Feature

[fpietrosanti]

Password lockout is to protect receivers against password brute forcing, functionally as described in the "GlobaLeaks Application Security Design" document.

This feature is to be implemented by:

• making the lockout parameters configurable by the admin
• visualizing remaining attempt on "failed password attempt" (the user must be informed that he has remaining X passwords while typing)
• introducing the concept of receiver activated/deactivated flag
• the logging of the security incident (somehow to report the admin some info about what's happened, even as a receiver flag containing some info about the incident)

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[fpietrosanti]

In reference to issue #37

[fpietrosanti]

Partial implementation on commit https://github.com/globaleaks/GLBackend/commit/4ca7fef624564893009d746302b59fd9e4afe0a1

with settings.py

• Number of failed login enough to generate an alarm

• self.failed_login_alarm = 5

[vecna]

here has been solved a critical security flaw: https://github.com/globaleaks/GLBackend/commit/82661ef8ebc132a960a59a8f7fe10dae8f10a4c2 based on errors login counter.

[vodkina]

Which is the state of this issue?

[evilaliv3]

this is currently in wishlist; is a nice to have to eventually to be discussed but still not in any milestone as not felt as higly required right now

[vodkina]

What about this issue? Could we give an estimate?