search

pglombardo / PasswordPusher

🔐 Securely share sensitive information with automatic expiration & deletion after a set number of views or duration. Track who, what and when with full audit logs.
https://docs.pwpush.com
Apache License 2.0
2.11k stars 358 forks source link

Lockout Feature After Multiple Login Attempts #2798

Open jaychinut opened 5 days ago

jaychinut commented 5 days ago

Checklist

❓ Question

I am writing to inquire about the configuration options available for setting a maximum number of failed login attempts, after which a user would be locked out either for a specified period or until an administrator unlocks the account. Specifically, I would like to know:

Is there a current default setting for the maximum number of failed login attempts before a user is locked out? Can this setting be configured via environment variables or through the Admin Dashboard? What are the available options for the lockout mechanism (e.g., temporary lockout period vs. admin intervention)?

📎 Additional context

To provide some context, I have attempted to log into a user account with the incorrect password 11 times, yet the account has not been locked out. This raises a security concern, as a brute force attacker could potentially try millions of passwords without being stopped. I am running my own instance of the pwpush app.

pglombardo commented 3 days ago

Hi @jaychinut,

This isn't configurable currently but I'll point out what protections exist today.

  1. There is a built in rate limiter that throttles log in attempts here. So trying millions of passwords would take years theoretically.
  2. The authentication system will lock the account after 20 failed attempts which is a bit high really.

I think we should reduce that to 10 failed attempts no? I should also have this documented somewhere.

jaychinut commented 3 days ago

I think 10 failed attempts is a good standard. I did not try up to 20 attempts, I figured after 11 or 12 it just wasn't going to lock me out. Thanks for letting me know.