Comment 3 for bug 1203924
Revision history for this message
| Aaron Wells (u-aaronw) wrote Re: Bruteforce username/email enumeration vuln in password reset screen | #3 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Leo is working on implementing scenario A, the limit on password reset attempts per IP address in a given span of time.
We also conclude in an IRC discussion that it would be useful to have a per-IP limit on *login* attempts as well. It's a slightly more subtle case:
1. Username enumeration is not a concern with the login screen because we print the same message whether you entered an invalid username or a valid username and invalid password
2. And we also have an existing system that limits the number of password attempts for each username within a short span of time.
3. HOWEVER, an attacker could do a dictionary attack: Try the five most common passwords, on a large list of likely usernames.
So, to prevent attack #3, it would be good to have the per-IP timeout on the login form as well as on the password reset form.