[Koha-bugs] [Bug 25935] New: Use time-based mechanism for account lockout
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Jul 6 04:18:52 CEST 2020
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25935
Bug ID: 25935
Summary: Use time-based mechanism for account lockout
Change sponsored?: ---
Product: Koha
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5 - low
Component: Authentication
Assignee: koha-bugs at lists.koha-community.org
Reporter: dcook at prosentient.com.au
QA Contact: testopia at bugs.koha-community.org
CC: dpavlin at rot13.org
Bug 18314 added account lockout for failed logins, but it's a hard lockout
which doesn't expire. While this has benefits, it does add administrative
overhead.
A well-crafted brute force attack could lock out all users permanently at
present.
A time-based mechanism could unlock the account after 15 minutes or so, and
further lockouts could get increasingly large lockout durations.
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
More information about the Koha-bugs
mailing list