-
Suggestion
-
Resolution: Fixed
-
None
Hacker can try as many time he wants to login JIRA.
You can build client, which sends username+password combinations as many time as you like.
.. and if you have username, it is much easier to get in.
Implementation ideas:
1) Lock user after sequential X incorrect logins
- X can be set by administrator
- if admin's own username is locked, it should be possible to unlock from console
2) Set IP to blacklist (unable to try login) after sequential Y incorrect logins - Y can be set by administrator
- IP can be removed from Blacklist by admin and it also should be possible to do from console
2) can be also done by using "bullet time" after sequential Z incorrect logins
- when hacker has been tried Z times to login then login period will take time 10 times longer
- when hacker has been tried 2*Z times to login then login period will take time 2*10 times longer
- .. until Y is reached and IP is set to blacklist
- incorporates
-
JRASERVER-13569 CAPTCHA should be possible to enable on user login page
- Closed
- is blocked by
-
SER-87 Implement user lockout mechanism to stop bruteforce login attacks
-
- Open
-
- is incorporated by
-
JRASERVER-2740 Rules Governing Passwords - Password Policy
- Not Being Considered
- is related to
-
JRASERVER-15605 The use of existing CAPTCHA after a certain number of unsuccessful login attempts
- Closed
- relates to
-
JRASERVER-22314 Notifiy admins of blocked accounts due to failed login attempts
- Closed
When shall we get the new version? We also have to allow jira access to our customers and the possibility of hacking into one of our accounts is keeping us still. We wouldn't want sensitive information to get public.
We're very interested in the new release..
Thank you