Forum OpenACS Development: Announcement: Measure against password guessing attacks

Request notifications

Dear all,

The development version of OpenACS in CVS head contains a new measure against password guessing attacks:

  • OpenACS authentication can now optionally limit unsuccessful login attempts. By default, this measure is turned off, but it can be activated/controlled via the following new package parameters of acs-authentication:

    • MaxConsecutiveFailedLoginAttempts
    • MaxConsecutiveFailedLoginAttemptsLockoutTime
  • The logic works roughly like the following: upon unsuccessful login attempts, a counter for this user is incremented. When the counter is exceeded, more login attempts are blocked until the lockout time is reached.

  • A site-wide admin can check unsuccessful logins via /acs-admin/auth/ and unblock these manually before the lockout time expires if desired.

This logic is implemented since several years in Learn@WU and was back-ported to the main framework.

Many thanks to Guenter Ernst for this effort!

Collapse
Posted by Iuri Sampaio on
That's nice. I'm looking forward to test it! I'm going to update core soon!

We shall thank one more time Guenter and Gustaf for all these years of contribution.

Best wishes