Return-Path: Delivered-To: apmail-incubator-jspwiki-dev-archive@locus.apache.org Received: (qmail 37470 invoked from network); 28 Nov 2007 06:07:06 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 28 Nov 2007 06:07:06 -0000 Received: (qmail 9720 invoked by uid 500); 28 Nov 2007 06:06:55 -0000 Delivered-To: apmail-incubator-jspwiki-dev-archive@incubator.apache.org Received: (qmail 9701 invoked by uid 500); 28 Nov 2007 06:06:55 -0000 Mailing-List: contact jspwiki-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jspwiki-dev@incubator.apache.org Delivered-To: mailing list jspwiki-dev@incubator.apache.org Received: (qmail 9684 invoked by uid 99); 28 Nov 2007 06:06:55 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 27 Nov 2007 22:06:55 -0800 X-ASF-Spam-Status: No, hits=-100.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO brutus.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 28 Nov 2007 06:06:44 +0000 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 14804714208 for ; Tue, 27 Nov 2007 22:06:43 -0800 (PST) Message-ID: <2804079.1196230003048.JavaMail.jira@brutus> Date: Tue, 27 Nov 2007 22:06:43 -0800 (PST) From: "Andrew Jaquith (JIRA)" To: jspwiki-dev@incubator.apache.org Subject: [jira] Commented: (JSPWIKI-44) Add an invalid attempt lockout/unlock mechanism In-Reply-To: <12878253.1195410643079.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/JSPWIKI-44?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12546129 ] Andrew Jaquith commented on JSPWIKI-44: --------------------------------------- True enough. There are two approaches we could take, one for the short term and one for a permanent fix. Short-term: introducing a short delay between attempts (3-5 seconds) would at least put an upper limit on how fast someone could slam POSTs to the login page. Permanent: implement a proper lockout policy with configurable thresholds. > Add an invalid attempt lockout/unlock mechanism > ----------------------------------------------- > > Key: JSPWIKI-44 > URL: https://issues.apache.org/jira/browse/JSPWIKI-44 > Project: JSPWiki > Issue Type: Improvement > Components: Authentication&Authorization > Affects Versions: 2.4.104, 2.5.139-beta, 2.6.0 > Reporter: Janne Jalkanen > Priority: Minor > > It is currently possible to attempt to brute force passwords, since there's no lock mechanism for failed password attempts. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.