** Tags added: newfeature -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/843561
Title: Temporarily lock accounts after too many bad passwords Status in Mahara ePortfolio: Fix Committed Bug description: To deter brute-forcing of passwords (and prevent ensuing DoS attacks), we should temporarily lock accounts once they've had too many (4? 5?) bad passwords. Considerations: - This should be as fast as possible and ideally not use extra queries. In a DoS setting, we want brute-forcers to add as little load as possible on the server. - To avoid adding a "locked until" field to the user table which needs to be updated constantly, maybe we should just unlock all users every time cron runs (every 5 min?) and tell users they've been locked out for up to 5 min. This will be particularly helpful once we fix bug 547469. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/843561/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
