Feature #39999
Feature #47765: mgr/dashboard: security improvements
mgr/dashboard: Prevent brute-force/dictionary attacks against existing local user accounts
0%
Description
If passwords are used as an authentication feature (no SSO enabled), there must be protection against dictionary and brute force attacks, to make it more difficult to guess passwords.
Dictionary and brute force attacks aim to guess passwords of user and machine accounts by automated testing. To prevent this, various measures or a combination of such measures can be implemented.
- Increasing time delay (e.g. doubling the waiting time for each attempt) for re-entering a password after an unsuccessful attempt.
- Locking the user account after a specified number of failed attempts (typically 5). However, with this solution it should be remembered that this requires an unlocking process and that an attacker can use this to lock accounts and make them unusable.
- Use of CAPTCHA to prevent automated probing (often used in web applications)
In order to achieve a higher level of safety, it often makes sense to combine two or more of the above measures.
Motivation: Without appropriate protection, an attacker can attempt to determine a password by simply trying out dictionary lists or automatically generated character combinations in order to misuse the corresponding user account.
Related issues
History
#1 Updated by Lenz Grimmer over 4 years ago
- Subject changed from mgr/dashboard: Prevent brute-force/dictionary attacks against existing user accounts to mgr/dashboard: Prevent brute-force/dictionary attacks against existing local user accounts
- Description updated (diff)
#2 Updated by Lenz Grimmer over 4 years ago
- Related to Feature #40329: mgr/dashboard: It should be possible to set an expiration date for the user password added
#3 Updated by Lenz Grimmer over 4 years ago
- Related to Feature #25232: mgr/dashboard: Support minimum password complexity rules added
#4 Updated by Lenz Grimmer over 4 years ago
- Related to Feature #25229: mgr/dashboard: Provide user enable/disable capability added
#5 Updated by Lenz Grimmer over 4 years ago
- Related to Feature #24655: mgr/dashboard: Enforce password change upon first login added
#6 Updated by Lenz Grimmer over 4 years ago
- Related to Feature #40248: mgr/dashboard: As a user, I want to change my password added
#7 Updated by Lenz Grimmer over 3 years ago
- Related to Feature #40914: mgr/dashboard: REST API: security added
#8 Updated by Ernesto Puerta about 3 years ago
- Tags set to security
#9 Updated by Ernesto Puerta about 3 years ago
- Parent task set to #47765
- Tags deleted (
security)
#10 Updated by Ernesto Puerta about 3 years ago
- Tags set to security
#11 Updated by Ernesto Puerta about 3 years ago
A reference for discussion on the effectiveness of account blockout: https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks
#12 Updated by Ernesto Puerta almost 3 years ago
- Status changed from New to Fix Under Review
- Assignee set to Nizamudeen A
- Pull request ID set to 38316
#13 Updated by Nizamudeen A almost 3 years ago
- Status changed from Fix Under Review to Resolved
#14 Updated by Ernesto Puerta over 2 years ago
- Project changed from mgr to Dashboard
- Category changed from 150 to Component - Users & Roles