Feature #39999
closedFeature #47765: mgr/dashboard: security improvements
mgr/dashboard: Prevent brute-force/dictionary attacks against existing local user accounts
0%
Description
If passwords are used as an authentication feature (no SSO enabled), there must be protection against dictionary and brute force attacks, to make it more difficult to guess passwords.
Dictionary and brute force attacks aim to guess passwords of user and machine accounts by automated testing. To prevent this, various measures or a combination of such measures can be implemented.
- Increasing time delay (e.g. doubling the waiting time for each attempt) for re-entering a password after an unsuccessful attempt.
- Locking the user account after a specified number of failed attempts (typically 5). However, with this solution it should be remembered that this requires an unlocking process and that an attacker can use this to lock accounts and make them unusable.
- Use of CAPTCHA to prevent automated probing (often used in web applications)
In order to achieve a higher level of safety, it often makes sense to combine two or more of the above measures.
Motivation: Without appropriate protection, an attacker can attempt to determine a password by simply trying out dictionary lists or automatically generated character combinations in order to misuse the corresponding user account.
Updated by Lenz Grimmer almost 5 years ago
- Subject changed from mgr/dashboard: Prevent brute-force/dictionary attacks against existing user accounts to mgr/dashboard: Prevent brute-force/dictionary attacks against existing local user accounts
- Description updated (diff)
Updated by Lenz Grimmer almost 5 years ago
- Related to Feature #40329: mgr/dashboard: It should be possible to set an expiration date for the user password added
Updated by Lenz Grimmer almost 5 years ago
- Related to Feature #25232: mgr/dashboard: Support minimum password complexity rules added
Updated by Lenz Grimmer almost 5 years ago
- Related to Feature #25229: mgr/dashboard: Provide user enable/disable capability added
Updated by Lenz Grimmer almost 5 years ago
- Related to Feature #24655: mgr/dashboard: Enforce password change upon first login added
Updated by Lenz Grimmer almost 5 years ago
- Related to Feature #40248: mgr/dashboard: As a user, I want to change my password added
Updated by Lenz Grimmer almost 4 years ago
- Related to Feature #40914: mgr/dashboard: REST API: security added
Updated by Ernesto Puerta over 3 years ago
- Parent task set to #47765
- Tags deleted (
security)
Updated by Ernesto Puerta over 3 years ago
A reference for discussion on the effectiveness of account blockout: https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks
Updated by Ernesto Puerta over 3 years ago
- Status changed from New to Fix Under Review
- Assignee set to Nizamudeen A
- Pull request ID set to 38316
Updated by Nizamudeen A over 3 years ago
- Status changed from Fix Under Review to Resolved
Updated by Ernesto Puerta about 3 years ago
- Project changed from mgr to Dashboard
- Category changed from 150 to Component - Users & Roles