[JRASERVER-12380] Implement user lockout mechanism to stop bruteforce login attacks - Create and track feature requests for Atlassian products.

XML

Word

Printable

Feedback Policy:

We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

Hacker can try as many time he wants to login JIRA.

You can build client, which sends username+password combinations as many time as you like.

.. and if you have username, it is much easier to get in.

Implementation ideas:
1) Lock user after sequential X incorrect logins

X can be set by administrator
if admin's own username is locked, it should be possible to unlock from console
2) Set IP to blacklist (unable to try login) after sequential Y incorrect logins
Y can be set by administrator
IP can be removed from Blacklist by admin and it also should be possible to do from console

2) can be also done by using "bullet time" after sequential Z incorrect logins

when hacker has been tried Z times to login then login period will take time 10 times longer
when hacker has been tried 2*Z times to login then login period will take time 2*10 times longer
.. until Y is reached and IP is set to blacklist

incorporates

JRASERVER-13569 CAPTCHA should be possible to enable on user login page

is blocked by

SER-87 Implement user lockout mechanism to stop bruteforce login attacks

is incorporated by

JRASERVER-2740 Rules Governing Passwords - Password Policy

is related to

JRASERVER-15605 The use of existing CAPTCHA after a certain number of unsuccessful login attempts

relates to

JRASERVER-22314 Notifiy admins of blocked accounts due to failed login attempts