View Issue Details

IDProjectCategoryView StatusLast Update
0026361mantisbtsecuritypublic2019-11-15 09:11
Reporterjcamara Assigned To 
PrioritynormalSeverityfeatureReproducibilityN/A
Status newResolutionopen 
Product Version2.22.0 
Summary0026361: Avoid multiple login attempts
Description

Our security department suggests include a feature to avoid multiple login attempts in order to increase access security level.

It could be:

  • reCaptcha
  • Temporary IP block

This feature may be activated on first login access failure.

TagsNo tags attached.

Activities

dregad

dregad

2019-11-15 08:50

developer   ~0063100

We already have a feature that will lock the users' account after a predetermined, configurable number of failed attempts. See $g_max_failed_login_count(OFF by default).

I'm not sure if that satisfies your requirement. If not, then please be more precise in your specification of how you expect the system to behave.

jcamara

jcamara

2019-11-15 09:11

reporter   ~0063101

It could be a solution, but in order to prevent an attack over a known username (like jcamara) that derives in a user lock, the suggestion is:

  • Use a captcha, like Google reCaptcha, to implement a control over bots.
    OR
  • Block access from an IP (not the user) exceeding max failed login count.

In an extreme case, there may be an external attack using a set of specific usernames that results in an account lock.

Issue History

Date Modified Username Field Change
2019-11-15 03:45 jcamara New Issue
2019-11-15 08:50 dregad Severity minor => feature
2019-11-15 08:50 dregad Status new => feedback
2019-11-15 08:50 dregad Description Updated View Revisions
2019-11-15 08:50 dregad Note Added: 0063100
2019-11-15 09:11 jcamara Note Added: 0063101
2019-11-15 09:11 jcamara Status feedback => new