Feature Requests item #3018011, was opened at 2010-06-18 14:30
Message generated for change (Tracker Item Submitted) made by badda
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=800590&aid=3018011&group_id=156638
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
Status: Open
Priority: 5
Private: No
Submitted By: Badda (badda)
Assigned to: Nobody/Anonymous (nobody)
Summary: Lock user after n failed attempts to log in.
Initial Comment:
Currently, passwords can be brute-forced by a remote attacker by trying to log in with guessed passwords until success.
This can easily be prevented by introducing a (configurable) limit to the failed login attempts. After that, the user cannot log in anymore and a phpshell-admin must unlock the user (e.g. by editing a value the config.php-file)
This would be my idea of implementing:
- introduce new value in config.php [settings]-sectinf: max-login-attemps. Here the admin can specify the number of failed login-attemps after which the user is locked.
- A number is recorded and kept for each user that states the current amount of failed logins
- if this number is equal or larger than max-login-attemps the user cannot log in at all
- this number is increased by one after each failed login-attempt for this user
- this numer is set to zero after a successful login
- after a successful or failed login, the number of failed login-attempts will be shown to the user
This would new feature would greatly increase security of the script
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=800590&aid=3018011&group_id=156638
|
