[jira] [Updated] (QPID-8272) [Broker-J] Add ability to disable(lock) the account and/or report the number of failed login attempts when the number of consecutive logon attempts exceeds predefined threshold

Wed, 19 Feb 2020 02:44:08 -0800 


     [ 
https://issues.apache.org/jira/browse/QPID-8272?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alex Rudyy updated QPID-8272:
-----------------------------
    Fix Version/s:     (was: qpid-java-broker-8.0.0)

> [Broker-J] Add ability to disable(lock) the account and/or report the number 
> of failed login attempts when the number of consecutive logon attempts 
> exceeds predefined threshold
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: QPID-8272
>                 URL: https://issues.apache.org/jira/browse/QPID-8272
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Broker-J
>            Reporter: Alex Rudyy
>            Priority: Major
>
> Add ability to disable(lock) the account when the number of consecutive logon 
> attempts exceeds predefined threshold.
> The different locking policies can be applied for interactive and non 
> interactive accounts.
> For example, for interactive accounts the following can be used:
> * If the account password length is 8 to 15 characters the account must be 
> locked out until reset after at most 10 consecutive login failures.
> * If the account password length is 16 characters the account must lock out 
> for at least 1 minute after at most 10 consecutive login failures.
> For non-interactive accounts  the following can be used:
>  * Accounts must be locked out for at least 1 minute after at most 10 
> consecutive login failures. Lockout time should escalate by doubling with 
> each sequential lockout or risk appropriate monitoring of repeated lockouts 
> to detect brute force attacks should be implemented.
>  * For accounts with availability concerns when account lockout is 
> impractical, the risk appropriate monitoring of repeated failed login 
> attempts needs to be added to detect brute force attacks



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to