[
https://issues.apache.org/jira/browse/JSPWIKI-44?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12546129
]
Andrew Jaquith commented on JSPWIKI-44:
---------------------------------------
True enough. There are two approaches we could take, one for the short term and
one for a permanent fix.
Short-term: introducing a short delay between attempts (3-5 seconds) would at
least put an upper limit on how fast someone could slam POSTs to the login page.
Permanent: implement a proper lockout policy with configurable thresholds.
> Add an invalid attempt lockout/unlock mechanism
> -----------------------------------------------
>
> Key: JSPWIKI-44
> URL: https://issues.apache.org/jira/browse/JSPWIKI-44
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication&Authorization
> Affects Versions: 2.4.104, 2.5.139-beta, 2.6.0
> Reporter: Janne Jalkanen
> Priority: Minor
>
> It is currently possible to attempt to brute force passwords, since there's
> no lock mechanism for failed password attempts.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
