[JOC-1615] It should not be possible to guess known accounts from the response time of a failed login - SOS JIRA

XML

Word

Printable

Details

Type: Feature
Status: Released (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 2.5.5, 2.6.2
Fix Version/s: 2.5.6, 2.6.3
Component/s: JOC Cockpit Web Service
Labels:
None

Description

Current Situation

A login with an unknown account takes less time than a login with a known account.

Such disparities in response times for authentication attempts could allow attackers to guess valid user accounts. Armed with this knowledge they might subsequently launch brute-force attacks for credentials of valid accounts to achieve unauthorized access to JOC Cockpit.

Desired Behavior

Failed logins should enforce random delays.

First and second failed login: delay between 1s and 3s
Third and more failed logins: delay between 25s and 35s

A successful login resets the counting.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

JOC-1615.png
75 kB
22 September 2023 11:46

Activity

People

Assignee:: Uwe Risse

Reporter:: Uwe Risse

Approver:: Kanika Agrawal

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 01 September 2023 14:13

Updated:: 09 November 2023 13:53

Resolved:: 19 September 2023 12:44