0035773: No lockout after multiple failed login attempts, increasing brute-force attack risk.

ID	Project	Category	View Status	Date Submitted	Last Update
0035773	mantisbt	authentication	public	2025-04-13 03:21	2025-04-13 13:05

Reporter	Garima_00	Assigned To	dregad
Priority	normal	Severity	major	Reproducibility	always
Status	resolved	Resolution	no change required

Summary	0035773: No lockout after multiple failed login attempts, increasing brute-force attack risk.
Description	The system does not lock user accounts after multiple failed login attempts, allowing unlimited attempts, which increases vulnerability to brute-force attacks.
Steps To Reproduce	Go to the login page. Enter a valid username (e.g., admin) with an incorrect password. Repeat step 2 more than 5 times.
Additional Information	Expected Result: User account should be temporarily locked after 5 consecutive failed attempts. Actual Result: User can attempt login infinitely without any lockout mechanism.
Tags	No tags attached.

dregad 2025-04-13 04:40 developer ~0070127	MantisBT does check for the maximum number of failed logins, based on $g_max_failed_login_count config option. This defaults to 5 since release 2.24.3 (see 0026794), previously it was unlimited by default.

Pranali Parate 2025-04-13 11:42 reporter ~0070142	I am also facing same issue

TanishaBhatt 2025-04-13 13:05 reporter ~0070143	Suggested Fix: Lock the account after 5 failed login attempts to prevent brute-force attacks. Technical Tip: Use $g_max_failed_login_count in config_defaults_inc.php (default: 5). User Message: Too many failed attempts. Account locked for 15 minutes.