incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Jaquith (JIRA)" <>
Subject [jira] Commented: (JSPWIKI-44) Add an invalid attempt lockout/unlock mechanism
Date Wed, 28 Nov 2007 06:06:43 GMT


Andrew Jaquith commented on JSPWIKI-44:

True enough. There are two approaches we could take, one for the short term and one for a
permanent fix.

Short-term: introducing a short delay between attempts (3-5 seconds) would at least put an
upper limit on how fast someone could slam POSTs to the login page.

Permanent: implement a proper lockout policy with configurable thresholds.

> Add an invalid attempt lockout/unlock mechanism
> -----------------------------------------------
>                 Key: JSPWIKI-44
>                 URL:
>             Project: JSPWiki
>          Issue Type: Improvement
>          Components: Authentication&Authorization
>    Affects Versions: 2.4.104, 2.5.139-beta, 2.6.0
>            Reporter: Janne Jalkanen
>            Priority: Minor
> It is currently possible to attempt to brute force passwords, since there's no lock mechanism
for failed password attempts. 

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message