Karsten Otto created JAMES-3669:
-----------------------------------
Summary: Delay on authentication failure
Key: JAMES-3669
URL: https://issues.apache.org/jira/browse/JAMES-3669
Project: James Server
Issue Type: Improvement
Components: UsersStore & UsersRepository
Affects Versions: master
Reporter: Karsten Otto
For standalone James installations, there should be some basic protection
against people/bots abusing James as a password oracle for
brute-force/dictionary attacks. This needs to be enforced in a central
location, so it affects all of the various protocols supported by James.
This proposal adds an option {{verifyFailureDelay}} to {{usersrepository.xml,
which}} delays the response if someone tries to authenticate with a
non-existing user orĀ
wrong password. There is intentionally no distinction between these two cases,
so it also covers username guessing attacks.
Introducing this feature should not affect existing James installations, so the
default is 0 delay/disabled.
T-Shirt size S.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
