t oo created AIRFLOW-4182:
-----------------------------
Summary: [security] ui - Lack of Account Lockout
Key: AIRFLOW-4182
URL: https://issues.apache.org/jira/browse/AIRFLOW-4182
Project: Apache Airflow
Issue Type: Improvement
Components: security, ui
Reporter: t oo
The Airflow application does not lock a user's account after a reasonable
number of failed login attempts. Account lockout is a mechanism used to stop
non-valid users from guessing for the right password. It is also a protection
against brute force attacks wherein an automated system can use
common/dictionary passwords or even build passwords based on set of characters
just to try to guess the valid one. The user is still able to login after 10
failed login attempts.
Business Impact/Attack Scenario
It is possible for an attacker to use dictionary or brute force attacks and set
it to attempt sending the requests on a particular amount of time to bypass the
validation. Once a username has been correctly guessed, the attacker may then
be able to gain access to the application.
Recommendation
Enforce account lockout conditions to temporary lock a user out after a number
of unsuccessful attempts. Typically, account lock out is set to 3-5 failed
login attempts.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
