Dear all,
The development version of OpenACS in CVS head contains a new measure against password guessing attacks:
OpenACS authentication can now optionally limit unsuccessful login attempts. By default, this measure is turned off, but it can be activated/controlled via the following new package parameters of acs-authentication:
- MaxConsecutiveFailedLoginAttempts
- MaxConsecutiveFailedLoginAttemptsLockoutTime
The logic works roughly like the following: upon unsuccessful login attempts, a counter for this user is incremented. When the counter is exceeded, more login attempts are blocked until the lockout time is reached.
A site-wide admin can check unsuccessful logins via /acs-admin/auth/ and unblock these manually before the lockout time expires if desired.
This logic is implemented since several years in Learn@WU and was back-ported to the main framework.
Many thanks to Guenter Ernst for this effort!