Re: [Django] #36651: Brute-force password attack against inactive users returns distinct error message

[Django]

#36651: Brute-force password attack against inactive users returns distinct 
error
message
-------------------------------------+-------------------------------------
     Reporter:  heindrickdumdum0217  |                    Owner:  (none)
         Type:  Bug                  |                   Status:  closed
    Component:  contrib.auth         |                  Version:  5.2
     Severity:  Normal               |               Resolution:  invalid
     Keywords:                       |             Triage Stage:
                                     |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Comment (by heindrickdumdum0217):

 Replying to [comment:2 Jacob Walls]:
 > As mentioned in the ticket submission form, security-related reports are
 not to be submitted here. They should be sent to
 secur...@djangoproject.com instead.
 >
 > That said, we do not consider this a security issue. If the user is
 active, brute-forcing the password results in successful authentication.
 The techniques to protect against this are well-known, including requiring
 strong passwords and rate-limiting requests to authentication endpoints.
 >
 > Here you have raised the case where the user is inactive and
 authentication does not succeed, but the correctness of the password can
 be inferred from the variance in the error. But in the active user case,
 it's already "game over" if the password can be brute-forced. We wouldn't
 add complexity to treat the inactive user case differently. Moreover,
 reversing the order of conditions could cause an account enumeration
 attack, see #20760.

 Hi Jacob
 Thanks for your comment.

 Brute-forcing doesn't work for active user, becuase after 3 consecutive
 failed login attempts, account will be locked.
 Of course we have implemented rate-limit too.

 But even though we have rate-limit, it's still less secure, because
 hackers can try with different passwords as many as times until they reach
 rate-limit for inactive user.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/36651#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/01070199dcd94a60-6d87c63e-69e0-4a17-ae5a-fa276931ca26-000000%40eu-central-1.amazonses.com.