View Issue Details

IDProjectCategoryView StatusLast Update
0009789mantisbtauthenticationpublic2019-02-16 07:03
Reporterllattan Assigned To 
PrioritynormalSeverityfeatureReproducibilityalways
Status acknowledgedResolutionopen 
PlatformallOSallOS Versionall
Product Version1.1.4 
Target VersionFixed in Version 
Summary0009789: password policies and lockout for failed login attempts
Description

I would like my mantisbt could be accesible from internet, but I think it could be insecure.

Could you add password policies and lockouts to failed attempts to login ?

I hope you can help me.

Regards.
Leandro.

TagsNo tags attached.

Relationships

related to 0009788 closed captcha on login screen 

Activities

vboctor

vboctor

2008-11-07 17:55

manager   ~0019807

I agree that this would be a nice addition. I was thinking of the same thing lately. Would be nice to capture some brainstorming of what should be done:

  1. On 3 (configurable) failed logins, lock the account for 5 minutes. Potentially for this single IP?
  2. SOAP API should be secured in the same way / make sure there is a way to disable SOAP API all together.
  3. Email account owner on failed login attempts / account locking while providing the IP address of the failed attempt.
  4. Log failed login attempts (these events are consumed by the Event Log plugin).
JohnDelay

JohnDelay

2014-10-05 13:06

reporter   ~0041383

Last edited: 2014-10-05 13:07

View 2 revisions

Hi there,

It´s is also related to thread http://www.mantisbt.org/bugs/view.php?id=9788

This is what the config_defaults_inc.php says about $g_max_failed_login_count

/**

  • Max. attempts to login using a wrong password before lock the account.

  • When locked, it's required to reset the password (lost password)

  • Value resets to zero at each successfully login

  • Set to OFF to disable this control

  • @global int $g_max_failed_login_count

*/

I didn´t really explore the code, but I can say that the statement "Value resets to zero at each successfully login
" makes this feature useless or let´s say: makes it 'not working' ...

When attemping to login with wrong username/password, browser message is: "Your account may be disabled or blocked or the username/password you entered is incorrect."

But thats not true - account isn´t disabled or blocked. After $g_max_failed_login_count an attacker can keep on trying to brute force.

It should show eg.: "Your account is disabled or blocked. Even if you provide the correct username and password this time, login isn´t possible. Please click 'Lost your password?' to make use of password reset functionality.". ... And of course the "Value resets to zero" thing should be removed rersp. rewritten.

Issue History

Date Modified Username Field Change
2008-11-07 16:31 llattan New Issue
2008-11-07 17:55 vboctor Note Added: 0019807
2008-11-07 17:55 vboctor Status new => acknowledged
2008-11-07 17:57 vboctor Relationship added related to 0009788
2014-10-05 13:06 JohnDelay Note Added: 0041383
2014-10-05 13:07 JohnDelay Note Edited: 0041383 View Revisions
2014-11-25 12:38 vboctor Category feature => authentication