Details
-
Story
-
Resolution: Unresolved
-
Critical
-
5.0, 5.4.14, 1.13.6, 3.2.2, 3.3.1, 2.5.18
Description
Brute force login can be stopped by limiting how many failed login attempts you're allowed to make. Rules should ideally be configurable, many options are possible:
- Maximum X attempts per Y minutes
- Lock account after X failures, optionally enable again after Y minutes
- Lock account after X failures for Y minutes, after another X failures lock for Z minutes (larger value), can be increased further
Limiting must be enforced server-side. Logging and admin notification would also be good.