On Fri, May 6, 2016 at 8:04 AM, Johann Nallathamby <[email protected]> wrote:
> > > On Fri, May 6, 2016 at 12:09 AM, Prabath Siriwardana <[email protected]> > wrote: > >> Currently, we have a policy to lock the user account after n number of >> failed login attempts... >> >> Can we expand this to support following scenarios... >> >> 1. Lock the account - and unlock it after n number of munites >> > > This is already available. > An improvement for this functionality would be to increase the lockout period with each consecutive failed attempt. Found [1] & [2] which have some guidelines for preventing brute force attacks. [1] - https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Brute_Force_Login [2] - https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks Regards, Omindu. > > >> 2. Present a captcha after n number of failed login attempts >> > > This can be done. > > >> 3. Slow down the login response after each failed login attempt >> (increasingly) >> > > Will have to read up more on this feature. > > Regards, > Johann. > > >> >> >> -- >> Thanks & Regards, >> Prabath >> >> Twitter : @prabath >> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >> >> Mobile : +1 650 625 7950 >> >> http://blog.facilelogin.com >> http://blog.api-security.org >> > > > > -- > Thanks & Regards, > > *Johann Dilantha Nallathamby* > Technical Lead & Product Lead of WSO2 Identity Server > Governance Technologies Team > WSO2, Inc. > lean.enterprise.middleware > > Mobile - *+94777776950* > Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Omindu Rathnaweera Software Engineer, WSO2 Inc. Mobile: +94 771 197 211
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
