View Issue Details

IDProjectCategoryView StatusLast Update
0026361mantisbtsecuritypublic2021-10-12 14:34
Reporterjcamara Assigned To 
PrioritynormalSeverityfeatureReproducibilityN/A
Status newResolutionopen 
Product Version2.22.0 
Summary0026361: Avoid multiple login attempts
Description

Our security department suggests include a feature to avoid multiple login attempts in order to increase access security level.

It could be:

  • reCaptcha
  • Temporary IP block

This feature may be activated on first login access failure.

TagsNo tags attached.

Relationships

related to 0029167 new Please enable the captcha in login page 

Activities

dregad

dregad

2019-11-15 08:50

developer   ~0063100

We already have a feature that will lock the users' account after a predetermined, configurable number of failed attempts. See $g_max_failed_login_count(OFF by default).

I'm not sure if that satisfies your requirement. If not, then please be more precise in your specification of how you expect the system to behave.

jcamara

jcamara

2019-11-15 09:11

reporter   ~0063101

It could be a solution, but in order to prevent an attack over a known username (like jcamara) that derives in a user lock, the suggestion is:

  • Use a captcha, like Google reCaptcha, to implement a control over bots.
    OR
  • Block access from an IP (not the user) exceeding max failed login count.

In an extreme case, there may be an external attack using a set of specific usernames that results in an account lock.