Feature Request : Brute Force Detection

[KeithIMyers]

It would be nice to have the ability to activate some sort of Brute Force Detection on Passman, I would live to see the following

• The ability to set a timer after X number of invalid login attempts that forces a user to wait. It should be at least 30 seconds after 3 invalid attempts ranging to 30 minutes after 10.

• The ability to destroy a password vault after XXX number of invalid attempts are made (This should be configurable by the user or on the admin)

[brantje]

This is possible, however deleting a vault seems overkill. What if a troll comes to your pc and 'brute' forces all your vaults?

Better would be how Android and iOS do it, they prevent the user from trying to login to the phone, by simply disabling the login functionality. 5 times incorrect -> 5 minute lockout of vault. 10 times incorrect -> 10 minute lockout of vault.

However the counting of incorrect passwords will be implemented client side, when a vault is locked ajax call is made to set it locked.

[animalillo]

yet the client side would have downloaded the pw already and bypassing that lock would be easy for a professional attacker, which makes this a bit useless feature, this kind of locking and control is more of a whole nextcloud login thing, not an specific passman issue, that's what i think.

We could do like a linux desktop and make a user wait a few seconds between password attempts at client side, but not much more that would actually improve security. And this would just prevent the most basic bruteforce attacks, if someone with a little knowledge on the matter gets access to the system at the point of accessing a vault they can already go to the network tab and extract the downloaded encrypted credential for local bruteforce attacks.

[KeithIMyers]

@animalillo - I understand that due to the imperfect nature of password banks and remote storage in general that it is impossible to completely eliminate the threat of password theft. To be completely honest, it is not impossible for a malicious user to gain access if they are determined and skilled enough.

In theory as long as your NextCloud install is kept secure (https/MFA and housed on a secure server) you should be fine from most of the hardcore attacks (except for rogue system administrators). In my case, my personal NextCloud server is on owned hardware, in a secure colo facility and hardened quite well.

My recommendation was mainly meant to act as a deterrent for script kiddies and less skilled users.

[animalillo]

@KeithIMyers your setup is the way to go! :+1:

We try our best to make passman as close to the wrench level as we can, that's why we will be adding some sort of manual brute force detection and slowdown (which can help with an angry girlfriend/boyfriend) and why we've implemented server side encryption over the client side encryption for the v2 release, now hardening against possible database leaks as well!

We will seriously think on this subject once the v2 has been fully tested, fixed and released.

[KeithIMyers]

@animalillo - I cant wait to take v2 for a spin

[maestroi]

Isnt there notification future to send to admin if wrong vault keys are filled in?

[KeithIMyers]

Isnt there notification future to send to admin if wrong vault keys are filled in?

Or maybe the option to send an alert to the user if the wrong key is entered. I use a similar system on my WordPress blog

[brantje]