google-code-export / webpasswordsafe

Automatically exported from code.google.com/p/webpasswordsafe
0 stars 3 forks source link

Implement optional authentication failure limit and account lockout #15

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
Regardless of which authentication mechanism you implement, a user can attempt 
to login and fail as many times as they like, leading the application's 
authentication module open to brute force attacks.

What is the expected output? What do you see instead?
Would be nice to implement as either a core feature, or a wrapper 
authentication plugin, the ability to lock out, or temporarily disable further 
authentication attempts if a certain configurable (both time and attempt count 
based) threshold has been reached.  For example, keep a history of sequential 
authentication failures, say after 5 failed attempts the account is locked out 
and disabled.  This could lead to denial-of-service attacks, where a brute 
force attacker could intentionally disable all known usernames, especially the 
default administrator account (although best practice would be to disable that 
anyway after the initial user-based accounts with admin role are setup) and 
render the application unusable.  Because of this, maybe the lockout should be 
time-based, and configurable, so it only disables the account for an hour, or 
day, or permanently.

Original issue reported on code.google.com by joshdrum...@gmail.com on 9 Dec 2010 at 1:51

GoogleCodeExporter commented 9 years ago

Original comment by joshdrum...@gmail.com on 9 Dec 2010 at 3:20

GoogleCodeExporter commented 9 years ago

Original comment by joshdrum...@gmail.com on 6 Jun 2011 at 5:32