Project

General

Profile

Feature #39999

mgr/dashboard: Prevent brute-force/dictionary attacks against existing local user accounts

Added by Lenz Grimmer 4 months ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
dashboard/usermgmt
Target version:
-
Start date:
05/22/2019
Due date:
% Done:

0%

Source:
Tags:
Backport:
Reviewed:
Affected Versions:
Pull request ID:

Description

If passwords are used as an authentication feature (no SSO enabled), there must be protection against dictionary and brute force attacks, to make it more difficult to guess passwords.

Dictionary and brute force attacks aim to guess passwords of user and machine accounts by automated testing. To prevent this, various measures or a combination of such measures can be implemented.

  • Increasing time delay (e.g. doubling the waiting time for each attempt) for re-entering a password after an unsuccessful attempt.
  • Locking the user account after a specified number of failed attempts (typically 5). However, with this solution it should be remembered that this requires an unlocking process and that an attacker can use this to lock accounts and make them unusable.
  • Use of CAPTCHA to prevent automated probing (often used in web applications)

In order to achieve a higher level of safety, it often makes sense to combine two or more of the above measures.

Motivation: Without appropriate protection, an attacker can attempt to determine a password by simply trying out dictionary lists or automatically generated character combinations in order to misuse the corresponding user account.


Related issues

Related to mgr - Feature #40329: mgr/dashboard: It should be possible to set an expiration date for the user password New 07/18/2019
Related to mgr - Feature #25232: mgr/dashboard: Support minimum password complexity rules Need Review 08/02/2018
Related to mgr - Feature #25229: mgr/dashboard: Provide user enable/disable capability Resolved 08/02/2018
Related to mgr - Feature #24655: mgr/dashboard: Enforce password change upon first login Need Review 06/25/2018
Related to mgr - Feature #40248: mgr/dashboard: As a user, I want to change my password Resolved 06/10/2019

History

#1 Updated by Lenz Grimmer 4 months ago

  • Subject changed from mgr/dashboard: Prevent brute-force/dictionary attacks against existing user accounts to mgr/dashboard: Prevent brute-force/dictionary attacks against existing local user accounts
  • Description updated (diff)

#2 Updated by Lenz Grimmer 2 months ago

  • Related to Feature #40329: mgr/dashboard: It should be possible to set an expiration date for the user password added

#3 Updated by Lenz Grimmer 2 months ago

  • Related to Feature #25232: mgr/dashboard: Support minimum password complexity rules added

#4 Updated by Lenz Grimmer 2 months ago

  • Related to Feature #25229: mgr/dashboard: Provide user enable/disable capability added

#5 Updated by Lenz Grimmer 2 months ago

  • Related to Feature #24655: mgr/dashboard: Enforce password change upon first login added

#6 Updated by Lenz Grimmer 2 months ago

  • Related to Feature #40248: mgr/dashboard: As a user, I want to change my password added

Also available in: Atom PDF