Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #8798 Sleep between login attempt [Brute Force protection]
    Actions
    Infos
    #8798
    belkebir (belkebir)
    2016-01-21 17:22
    2016-01-21 14:19
    8916
    Details
    Sleep between login attempt [Brute Force protection]
    J'ai discuter avec Manuel et Thomas et j'ai constaté qu'il n'y a pas de temps d'attente après plusieurs mot de passe ratés sur tuleap.net ainsi que sur my.enalean et probablement l'ensemble de nos clients. Il paraîtrait qu'une protection était en place avant mais elle ne l'est plus.
    Site admin
    8.10
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2016-01-21
    Attachments
    Artifact links
    Empty
    Empty
    References
    Referenced by request #8798

    Artifact Tracker v5

    request #7754 Denial of service through login form
    Display settings

    Follow-ups

    User avatar
    Manuel Vacelet (vaceletm)2016-01-21 17:22
    Thanks for the explanation, I was no longer remembering why this change.
    • Status changed from Verified to Closed
    • Assigned to changed from None to Thomas Gerbet (tgerbet)
    • Close date set to 2016-01-21
    User avatar
    Thomas Gerbet (tgerbet)2016-01-21 14:57
    Indeed there was a sort of protection in a older Tuleap version. It was removed, you can see request #7754.
    The protection was inefficient and it was not possible to make it efficient without impacting legitimate users.

    Blocking brute force attack in this context is not really easy. We do not want to introduce the possibility of denial of service attacks or add a new possibility to enumerate users.

    Instead of using some kind of timeout/lock out account technique we could probably use a CAPTCHA to make the attack harder to realize. Also, multi factor authentication could help if your password is compromised.


    However for this issue the answer is not only technical. Brute force attacks are not realistic on a login form (too slow, way too slow...) when your users use a strong password so we should find ways to encourage that.


    TLDR: I do want to reintroduce this protection as is in Tuleap as it is useless and could even be dangerous.
    • Status changed from New to Verified