-
Suggestion
-
Resolution: Won't Do
-
None
-
None
-
3
-
NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion.
It has come to our attention that certain companies have the security policy to completely lock an account completely, after a certain number of failed password attempts.
Currently, Confluence allows the user to still login with the correct password after the maximum failed attempts, as long as they enter the correct Captcha.
We need to allow admins the ability to completely lock the account after a number of failed attempts, something like what this query does:
UPDATE cwd_user_attribute c JOIN cwd_user u ON c.user_id = u.id SET c.attribute_value = 'true', c.attribute_lower_value = 'true' WHERE u.user_name = '<username>' AND c.attribute_name = 'requiresPasswordChange';
Where <username> is the user's username.
- relates to
-
- Closed
- mentioned in
-
![[Extranet] Page](/images/icons/generic_link_16.png "[Extranet] Page")
Page
Failed to load
[CONFSERVER-37575] Option To Lock User Out Permanently After Maximum Failed Password Attempts
Farhood
added a comment - In the summer, we have had a nice collaboration with Intenso to develop their plugins (Password Policy) such that it includes these features.
They are now available for JIRA, Confluence and Stash. Of course, it would be really nice to have this feature included in Atlassian applications (as infrastructure for that is already there).
Farhood
added a comment - In the summer, we have had a nice collaboration with Intenso to develop their plugins (Password Policy) such that it includes these features.
They are now available for JIRA, Confluence and Stash. Of course, it would be really nice to have this feature included in Atlassian applications (as infrastructure for that is already there). 
Martin Resnick
added a comment - We are looking to move from Trac to Jira but with Trac noticed people trying to log in.
They had gotten pretty creative by finding a user's LinkedIn account and trying passwords like previous jobs, grad schools, ...
So just using captcha is not a sufficient deterrent.
In Trac we have implemented 5 wrong passwords in a row (no time limit) and lock the account permanently.
Requires an admin to unlock.
Martin Resnick
added a comment - We are looking to move from Trac to Jira but with Trac noticed people trying to log in.
They had gotten pretty creative by finding a user's LinkedIn account and trying passwords like previous jobs, grad schools, ...
So just using captcha is not a sufficient deterrent.
In Trac we have implemented 5 wrong passwords in a row (no time limit) and lock the account permanently.
Requires an admin to unlock. We have a customer who has asked us to see what we can do about this issue. Both for Confluence AND Jira. Are there Java API's available for this?
Thank you for raising this suggestion.
We regret to inform you that due to limited demand, we have no plans to implement it in the foreseeable future. In order to set expectations, we're closing this request now. Sometimes potentially valuable tickets do get closed where the Summary or Description has not caught the attention of the community. If you feel that this suggestion is valuable, consider describing in more detail or outlining how this request will help you achieve your goals. We may then be able to provide better guidance.
For more context, check out our Community blog on our updated workflow for Suggestions
Cheers,
Confluence Product Management