Limit incorrect password attempts before block should be time-dependent, not total - Githubissues

nextcloud / password_policy

:lock: Let the admin define certain rules for passwords, e.g. a minimum length

GNU Affero General Public License v3.0

35 stars 19 forks source link

Limit incorrect password attempts before block should be time-dependent, not total #574

Closed Antreesy closed 4 months ago

Antreesy commented 5 months ago

Steps to reproduce

Set password attempts limit to N
Try to log in with incorrect credentials throughout the uncertain timeframe (week, month)
Reach N attempts

Expected behaviour

App should block user after several consequent incorrect attempts within short time interval (like brute-force attack)

3 attempts in a row;
10 attempts within one hour;
other options, considering amount + time interval between first-last attempt

Actual behaviour

Regardless when user will reach the limit (month, year), account will be blocked

Nextcloud version: 27.1.7 App version: 1.17.0