View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0009789 | mantisbt | authentication | public | 2008-11-07 16:31 | 2019-02-16 07:03 |
Reporter | llattan | Assigned To | |||
Priority | normal | Severity | feature | Reproducibility | always |
Status | acknowledged | Resolution | open | ||
Platform | all | OS | all | OS Version | all |
Product Version | 1.1.4 | ||||
Summary | 0009789: password policies and lockout for failed login attempts | ||||
Description | I would like my mantisbt could be accesible from internet, but I think it could be insecure. Could you add password policies and lockouts to failed attempts to login ? I hope you can help me. Regards. | ||||
Tags | No tags attached. | ||||
related to | 0009788 | closed | captcha on login screen |
I agree that this would be a nice addition. I was thinking of the same thing lately. Would be nice to capture some brainstorming of what should be done:
|
|
Hi there, It´s is also related to thread http://www.mantisbt.org/bugs/view.php?id=9788 This is what the config_defaults_inc.php says about $g_max_failed_login_count /**
*/ I didn´t really explore the code, but I can say that the statement "Value resets to zero at each successfully login When attemping to login with wrong username/password, browser message is: "Your account may be disabled or blocked or the username/password you entered is incorrect." But thats not true - account isn´t disabled or blocked. After $g_max_failed_login_count an attacker can keep on trying to brute force. It should show eg.: "Your account is disabled or blocked. Even if you provide the correct username and password this time, login isn´t possible. Please click 'Lost your password?' to make use of password reset functionality.". ... And of course the "Value resets to zero" thing should be removed rersp. rewritten. |
|