[
https://issues.apache.org/jira/browse/AIRFLOW-4182?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ash Berlin-Taylor updated AIRFLOW-4182:
---------------------------------------
Summary: Rate limit log in attempts (was: [security] ui - Lack of Account
Lockout)
> Rate limit log in attempts
> --------------------------
>
> Key: AIRFLOW-4182
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4182
> Project: Apache Airflow
> Issue Type: Improvement
> Components: security, ui
> Reporter: t oo
> Priority: Minor
>
> The Airflow application does not lock a user's account after a reasonable
> number of failed login attempts. Account lockout is a mechanism used to stop
> non-valid users from guessing for the right password. It is also a protection
> against brute force attacks wherein an automated system can use
> common/dictionary passwords or even build passwords based on set of
> characters just to try to guess the valid one. The user is still able to
> login after 10 failed login attempts.
> Business Impact/Attack Scenario
> It is possible for an attacker to use dictionary or brute force attacks and
> set it to attempt sending the requests on a particular amount of time to
> bypass the validation. Once a username has been correctly guessed, the
> attacker may then be able to gain access to the application.
> Recommendation
> Enforce account lockout conditions to temporary lock a user out after a
> number of unsuccessful attempts. Typically, account lock out is set to 3-5
> failed login attempts.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
