Always show captchas on Jira login screen

XMLWordPrintable

    • 0
    • 9

      NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.

      Hello Jira

      We see a security issue that unauthorized attacks on Jira (using i.e. brute force attacks) could find out whether a username exists or not by checking if the captcha request would appear.

      Use case:

      • When trying to log into Jira (or other Atlassian products) with an invalid username, the captcha request would never appear
      • As soon as a valid username would be entered, the captcha request would show up after n (as configurable in Jira) tries.

      This means, it would be possible to find out if a username exists or not.

      Suggestion:

      Would it be possible to configure Jira to ALWAYS show a captcha when logging into to system? That would of course mean that a user would always need to enter the captcha, but an unautorized attack would not be able to determine existing usernames.

      I would be excited to hear your opinion on that issue.

      Thanks
      Tom

            Assignee:
            Unassigned
            Reporter:
            Tom
            Votes:
            4 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated: