incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Jaquith (JIRA)" <j...@apache.org>
Subject [jira] Commented: (JSPWIKI-44) Add an invalid attempt lockout/unlock mechanism
Date Wed, 28 Nov 2007 06:06:43 GMT

    [ https://issues.apache.org/jira/browse/JSPWIKI-44?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12546129
] 

Andrew Jaquith commented on JSPWIKI-44:
---------------------------------------

True enough. There are two approaches we could take, one for the short term and one for a
permanent fix.

Short-term: introducing a short delay between attempts (3-5 seconds) would at least put an
upper limit on how fast someone could slam POSTs to the login page.

Permanent: implement a proper lockout policy with configurable thresholds.

> Add an invalid attempt lockout/unlock mechanism
> -----------------------------------------------
>
>                 Key: JSPWIKI-44
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-44
>             Project: JSPWiki
>          Issue Type: Improvement
>          Components: Authentication&Authorization
>    Affects Versions: 2.4.104, 2.5.139-beta, 2.6.0
>            Reporter: Janne Jalkanen
>            Priority: Minor
>
> It is currently possible to attempt to brute force passwords, since there's no lock mechanism
for failed password attempts. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message