We're updating the issue view to help you get more done. 

Admin Console Login allows Brute Force Login

Description

Openfire Admin Console allows brute force login.
It MUST implement some security verifications and listeners that monitors login attempts.

  • Limit login attempts per IP in a time period.

  • Limit login attempts in a time period.

  • Test Cases ( Optional )

Environment

Every Plataform

Acceptance Test - Entry

None

Activity

Show:
Johannes Grimm
April 20, 2007, 9:31 PM

perhaps a simple delaying the error msg would sufficant ... so bruteforce takes really long .. (0.5 or 1 sec should be enough)

Thiago Rocha Camargo
April 21, 2007, 12:00 AM

An day has 86400 seconds. A week 604800. I don't think that it's sufficient. In 3 months it's very easy to get in. I don't think admins change admin password every month. Or at least we MUST not trust in it.
This is a Best Pratices issue.

LG
April 22, 2007, 12:51 AM

Adding a random delay of 1-3 seconds is never a fault if the password is wrong before returning an error.
An option to limit the remote addresses (e.g. 10.0.0.0/24 or *.dialin.provider.com) would help a lot.

Assignee

Daniel Henninger

Reporter

Thiago Rocha Camargo

Labels

None

Expected Effort

None

Ignite Forum URL

None

Time tracking

0m

Time remaining

8h

Components

Fix versions

Due date

2006/03/24

Priority

Major
Configure