|
|
| Reporter | PDStig | Assigned To | Guest | |
|---|
| Priority | high | Severity | feature | |
|---|
| Status | new | Resolution | open | |
|---|
|
|
| Summary | 5775: Review behaviour of brute force logins with IP address |
|---|
| Description | The current behaviour with failed logins is that brute force compares to exact IP address.
Is this secure enough? Perhaps we should compare to the first three(six) parts instead so it is more tolerant of botnets trying to target a specific user account. Or, do away with IP checking completely. |
|---|
| Additional Information | The current set-up allows an army of botnets on different IP addresses (especially IPv6) to mass-attempt logging in to a user's account. While still very difficult to do if the user has a good password and brute force security is strong (likely to run out of IPs from brute force banning before a success happens), I think we can do better than comparing full IP address on every attempt. |
|---|
| Tags | Roadmap: Over the horizon, Type: Security |
|---|
| Attach Tags |
|
|---|
|
|
| Time estimation (hours) | |
|---|
| Sponsorship open | |
|---|
|
|
