-
Suggestion
-
Resolution: Fixed
-
None
Hacker can try as many time he wants to login JIRA.
You can build client, which sends username+password combinations as many time as you like.
.. and if you have username, it is much easier to get in.
Implementation ideas:
1) Lock user after sequential X incorrect logins
- X can be set by administrator
- if admin's own username is locked, it should be possible to unlock from console
2) Set IP to blacklist (unable to try login) after sequential Y incorrect logins - Y can be set by administrator
- IP can be removed from Blacklist by admin and it also should be possible to do from console
2) can be also done by using "bullet time" after sequential Z incorrect logins
- when hacker has been tried Z times to login then login period will take time 10 times longer
- when hacker has been tried 2*Z times to login then login period will take time 2*10 times longer
- .. until Y is reached and IP is set to blacklist
- incorporates
-
JRASERVER-13569 CAPTCHA should be possible to enable on user login page
- Closed
- is blocked by
-
SER-87 Implement user lockout mechanism to stop bruteforce login attacks
- Open
- is incorporated by
-
JRASERVER-2740 Rules Governing Passwords - Password Policy
- Not Being Considered
- is related to
-
JRASERVER-15605 The use of existing CAPTCHA after a certain number of unsuccessful login attempts
- Closed
- relates to
-
JRASERVER-22314 Notifiy admins of blocked accounts due to failed login attempts
- Closed