Feature #47765: mgr/dashboard: security improvements
mgr/dashboard: Prevent brute-force/dictionary attacks against existing local user accounts
If passwords are used as an authentication feature (no SSO enabled), there must be protection against dictionary and brute force attacks, to make it more difficult to guess passwords.
Dictionary and brute force attacks aim to guess passwords of user and machine accounts by automated testing. To prevent this, various measures or a combination of such measures can be implemented.
- Increasing time delay (e.g. doubling the waiting time for each attempt) for re-entering a password after an unsuccessful attempt.
- Locking the user account after a specified number of failed attempts (typically 5). However, with this solution it should be remembered that this requires an unlocking process and that an attacker can use this to lock accounts and make them unusable.
- Use of CAPTCHA to prevent automated probing (often used in web applications)
In order to achieve a higher level of safety, it often makes sense to combine two or more of the above measures.
Motivation: Without appropriate protection, an attacker can attempt to determine a password by simply trying out dictionary lists or automatically generated character combinations in order to misuse the corresponding user account.
#11 Updated by Ernesto Puerta about 3 years ago
A reference for discussion on the effectiveness of account blockout: https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks