View Issue Details

IDProjectCategoryView StatusLast Update
0000925SOGoWeb Generalpublic2011-12-30 18:18
Reportergienger Assigned Toludovic  
PrioritynormalSeverityfeatureReproducibilityalways
Status resolvedResolutionno change required 
Product Version1.3.3 
Summary0000925: Penalty time after entering a wrong user/password combination
Description

Would it be possible to include a penalty timeout when entering a wrong password? Otherwise massive password dictionary attacks become easily feasible...

TagsNo tags attached.

Activities

ludovic

ludovic

2010-10-25 11:33

administrator   ~0001646

If you enable password policy in your LDAP server and activate SOGo to use it, it'll do just that.

gienger

gienger

2010-10-25 11:39

reporter   ~0001647

I don't want an account to be locked after N tries, I would like to have a penalty timeout for every wrong password.
Password lockouts are evil as there's a simple possibility to run DoS attacks to lock out thousands of accounts.

or did I miss something blatant concerning LDAP password policies?

ludovic

ludovic

2010-10-25 12:04

administrator   ~0001648

A combination of pwdLockoutDuration, pwdMaxFailure and pwdFailureCountInterval would give you something very similar. No need to lock the account for a long time.

wsourdeau

wsourdeau

2010-10-29 19:57

viewer   ~0001665

Pascal: also note that if a delay was to occur server-side because of this, this would also become prone to DoS attacks because of the process limits.

ludovic

ludovic

2011-12-30 18:18

administrator   ~0003237

Solution "given" in the ticket - make use of password policy in the LDAP with proper password policy control attributes.

Issue History

Date Modified Username Field Change
2010-10-25 11:33 gienger New Issue
2010-10-25 11:33 ludovic Note Added: 0001646
2010-10-25 11:39 gienger Note Added: 0001647
2010-10-25 12:04 ludovic Note Added: 0001648
2010-10-29 19:57 wsourdeau Note Added: 0001665
2011-12-30 18:18 ludovic Note Added: 0003237
2011-12-30 18:18 ludovic Status new => resolved
2011-12-30 18:18 ludovic Resolution open => no change required
2011-12-30 18:18 ludovic Assigned To => ludovic