View Issue Details

IDProjectCategoryView StatusLast Update
0026361mantisbtsecuritypublic2019-11-15 09:11
Reporterjcamara Assigned To 
Status newResolutionopen 
Product Version2.22.0 
Summary0026361: Avoid multiple login attempts

Our security department suggests include a feature to avoid multiple login attempts in order to increase access security level.

It could be:

  • reCaptcha
  • Temporary IP block

This feature may be activated on first login access failure.

TagsNo tags attached.




2019-11-15 08:50

developer   ~0063100

We already have a feature that will lock the users' account after a predetermined, configurable number of failed attempts. See $g_max_failed_login_count(OFF by default).

I'm not sure if that satisfies your requirement. If not, then please be more precise in your specification of how you expect the system to behave.



2019-11-15 09:11

reporter   ~0063101

It could be a solution, but in order to prevent an attack over a known username (like jcamara) that derives in a user lock, the suggestion is:

  • Use a captcha, like Google reCaptcha, to implement a control over bots.
  • Block access from an IP (not the user) exceeding max failed login count.

In an extreme case, there may be an external attack using a set of specific usernames that results in an account lock.

Issue History

Date Modified Username Field Change
2019-11-15 03:45 jcamara New Issue
2019-11-15 08:50 dregad Severity minor => feature
2019-11-15 08:50 dregad Status new => feedback
2019-11-15 08:50 dregad Description Updated View Revisions
2019-11-15 08:50 dregad Note Added: 0063100
2019-11-15 09:11 jcamara Note Added: 0063101
2019-11-15 09:11 jcamara Status feedback => new