User friendly account locking (was - Security: lock user accounts after unsuccessful logins)
Bug #457358 reported by
root
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
psiphon |
Confirmed
|
Wishlist
|
Unassigned |
Bug Description
* Currently, there's no mechanism in place to prevent an attacker from performing a time-unlimited brute force login attack against any account.
* Best practice is to lock an account after a few unsuccessful login attempts.
* I recommend a temporary lock: after 5 bad attempts, no attempt will succeed for 5 minutes. This is self-managing.
* DoD: any locking mechanism can be exploited for a DoS attack. We should be monitoring the server logs for excessive "login failed" events and be able to respond.
* Also see: http://
Changed in psiphon: | |
status: | In Progress → New |
importance: | Unknown → Wishlist |
Changed in psiphon: | |
status: | New → Confirmed |
visibility: | private → public |
tags: | added: category3 |
To post a comment you must log in.
Is there any reason not to tell the user (or bad guy) that we have locked an account when we do it? Not doing so will probably up the number of password-change requests...and the number of people bleating for help through the 'feedback' function. Should we politely tell people that their account has been locked, for security reasons, and that, if they've forgotten their password, they can please click on the link below? And...presumably, a successful password-change request will unlock the account?