View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0009789||mantisbt||authentication||public||2008-11-07 16:31||2019-02-16 07:03|
|Summary||0009789: password policies and lockout for failed login attempts|
I would like my mantisbt could be accesible from internet, but I think it could be insecure.
Could you add password policies and lockouts to failed attempts to login ?
I hope you can help me.
|Tags||No tags attached.|
I agree that this would be a nice addition. I was thinking of the same thing lately. Would be nice to capture some brainstorming of what should be done:
It´s is also related to thread http://www.mantisbt.org/bugs/view.php?id=9788
This is what the config_defaults_inc.php says about $g_max_failed_login_count
I didn´t really explore the code, but I can say that the statement "Value resets to zero at each successfully login
When attemping to login with wrong username/password, browser message is: "Your account may be disabled or blocked or the username/password you entered is incorrect."
But thats not true - account isn´t disabled or blocked. After $g_max_failed_login_count an attacker can keep on trying to brute force.
It should show eg.: "Your account is disabled or blocked. Even if you provide the correct username and password this time, login isn´t possible. Please click 'Lost your password?' to make use of password reset functionality.". ... And of course the "Value resets to zero" thing should be removed rersp. rewritten.
|2008-11-07 16:31||llattan||New Issue|
|2008-11-07 17:55||vboctor||Note Added: 0019807|
|2008-11-07 17:55||vboctor||Status||new => acknowledged|
|2008-11-07 17:57||vboctor||Relationship added||related to 0009788|
|2014-10-05 13:06||JohnDelay||Note Added: 0041383|
|2014-10-05 13:07||JohnDelay||Note Edited: 0041383||View Revisions|
|2014-11-25 12:38||vboctor||Category||feature => authentication|