Hi Omindu, Please see comments inline.
On Friday, 6 May 2016, Prabath Siriwardana <[email protected]> wrote: > > > On Thu, May 5, 2016 at 10:02 PM, Omindu Rathnaweera <[email protected] > <javascript:_e(%7B%7D,'cvml','[email protected]');>> wrote: > >> >> >> On Fri, May 6, 2016 at 8:04 AM, Johann Nallathamby <[email protected] >> <javascript:_e(%7B%7D,'cvml','[email protected]');>> wrote: >> >>> >>> >>> On Fri, May 6, 2016 at 12:09 AM, Prabath Siriwardana <[email protected] >>> <javascript:_e(%7B%7D,'cvml','[email protected]');>> wrote: >>> >>>> Currently, we have a policy to lock the user account after n number of >>>> failed login attempts... >>>> >>>> Can we expand this to support following scenarios... >>>> >>>> 1. Lock the account - and unlock it after n number of munites >>>> >>> >>> This is already available. >>> >> >> An improvement for this functionality would be to increase the lockout >> period with each consecutive failed attempt. >> > > Yes.. +1 for doing this too.. > This should be an option only. Not every usecase require to have the exponential lock down period growth. There are number scenarios where the lock down period needs to be a contant. Therefore +1 for this as an optional feature. Thanks and Regards, Harshana > > >> >> Found [1] & [2] which have some guidelines for preventing brute force >> attacks. >> >> [1] - >> https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Brute_Force_Login >> >> [2] - https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks >> >> Regards, >> Omindu. >> >>> >>> >>>> 2. Present a captcha after n number of failed login attempts >>>> >>> >>> This can be done. >>> >>> >>>> 3. Slow down the login response after each failed login attempt >>>> (increasingly) >>>> >>> >>> Will have to read up more on this feature. >>> >>> Regards, >>> Johann. >>> >>> >>>> >>>> >>>> -- >>>> Thanks & Regards, >>>> Prabath >>>> >>>> Twitter : @prabath >>>> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >>>> >>>> Mobile : +1 650 625 7950 >>>> >>>> http://blog.facilelogin.com >>>> http://blog.api-security.org >>>> >>> >>> >>> >>> -- >>> Thanks & Regards, >>> >>> *Johann Dilantha Nallathamby* >>> Technical Lead & Product Lead of WSO2 Identity Server >>> Governance Technologies Team >>> WSO2, Inc. >>> lean.enterprise.middleware >>> >>> Mobile - *+94777776950* >>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> <javascript:_e(%7B%7D,'cvml','[email protected]');> >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Omindu Rathnaweera >> Software Engineer, WSO2 Inc. >> Mobile: +94 771 197 211 >> > > > > -- > Thanks & Regards, > Prabath > > Twitter : @prabath > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena > > Mobile : +1 650 625 7950 > > http://blog.facilelogin.com > http://blog.api-security.org > -- Sent from Gmail Mobile for IPhone
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
