[ https://issues.apache.org/jira/browse/RANGER-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17502860#comment-17502860 ]
Bhavik Patel commented on RANGER-2362: -------------------------------------- We have 2 approach: 1. We can move all the DB(internal) users to external user so LDAP/AD will handle the lockout mechanism - Required to check all the impacts 2. We have to implement the account lockout mechanise for Internal users(using spring security) - Required to check spring configuration and code level changes > [security] Admin webui - Lack of account lockout > ------------------------------------------------ > > Key: RANGER-2362 > URL: https://issues.apache.org/jira/browse/RANGER-2362 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger > Affects Versions: 1.0.0 > Reporter: t oo > Priority: Major > > |Account lockout is a mechanism used to stop non-valid users from guessing > for the right password. It is also a protection against brute force attacks > wherein an automated system can use common/dictionary passwords or even build > passwords based on set of characters just to try to guess the valid one.| > |The application does not implement an account lockout mechanism, leaving it > susceptible to brute force attacks. These login pages were susceptible to > this condition.| > |It is possible for an attacker to use dictionary or brute force attacks and > set it to attempt sending the requests on a particular amount of time to > bypass the validation. Once a username has been correctly guessed, the > attacker may then be able to gain access to the application. Since it is > vulnerable to Form Auto Complete Active vulnerability (LINK) which makes the > email addresses easier to guess, it will make brute force attack to more > likely possible. > |Enforce account lockout conditions to prevent intrusions and improve > password requirements and complexities to avoid the chances of brute force > and dictionary attacks from working.| > | -- This message was sent by Atlassian Jira (v8.20.1#820001)