#676 PCI Compliance


I would like to propose a new feature to prevent brute force attacks and be compliant with PCI (Payment Card Industry) regulations. Lock password vault after (configurable) number of failed authentication attempts, and remain locked for (configurable) minutes before allowing authentication attempts again. The PCI regulation requires accounts to be locked after 6 failed authentication attempts and must remain locked for at least 30 minutes. These options should be enabled and configured by the password vault owner. This will make it significantly more difficult to brute force open someone's password vault. Thanks for listening.


  • Rony Shapiro

    Rony Shapiro - 2012-07-29

    Not sure why PasswordSafe would want to be PCI compliant, but in any case, this is one of those things that are easy to do in a manner that's trivial to break, and very difficult (if not impossible) to do in a secure manner.
    The main problem is that, unlike a website (or ATM) that has a well-defined interface, PasswordSafe is a program that's running on a general-purpose PC. This means that any implementation of a 'timed lockout' needs to consider trivial attacks that aren't relevant otherwise, for example:
    1. When one application locks, just launch another instance.
    2. Create a separate copy of the database for each attack.

    Also, there's nothing to prevent an attacker from writing a modified version of PasswordSafe that doesn't have such a lock-out mechanism.

    In short, it's a nice idea, but not really feasible on a general-purpose PC.



  • Dave Griffin

    Dave Griffin - 2013-08-30

    I agree that as this is open source, someone can just disable such a feature from their version of the code and brute force all they want.

    Should such a request be flagged with a status of 'not going to implement' rather than pending for clarity?

  • Rony Shapiro

    Rony Shapiro - 2013-08-31
    • status: pending --> wont-fix
    • Group: --> Next_Release_(example)
  • Rony Shapiro

    Rony Shapiro - 2013-08-31

    Well, as a year has passed and no further inputs have arrived, I guess this can be closed.
    As an aside, this is a good example of a problem with the whole standards/compliance approach to security: It would be fairly simple to add the requested features to PasswordSafe, and then add "PCI-DSS compliant" to the web page, bragging rights, etc. However, in terms of actual security, this would add exactly zip, since the attacker would not neccesarily feel obliged to limit himself to the PCI-DSS compliant version...

  • Dave Griffin

    Dave Griffin - 2013-09-02

    Thanks Rony. Fully agree, being standards compliant doesn't always help :-)


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks