Alex Rudyy created QPID-8272:
--------------------------------
Summary: [Broker-J] Add ability to disable(lock) the account
and/or report the number of failed login attempts when the number of
consecutive logon attempts exceeds predefined threshold
Key: QPID-8272
URL: https://issues.apache.org/jira/browse/QPID-8272
Project: Qpid
Issue Type: Improvement
Components: Broker-J
Reporter: Alex Rudyy
Fix For: qpid-java-broker-8.0.0
Add ability to disable(lock) the account when the number of consecutive logon
attempts exceeds predefined threshold.
The different locking policies can be applied for interactive and non
interactive accounts.
For example, for interactive accounts the following can be used:
* If the account password length is 8 to 15 characters the account must be
locked out until reset after at most 10 consecutive login failures.
* If the account password length is 16 characters the account must lock out for
at least 1 minute after at most 10 consecutive login failures.
For non-interactive accounts the following can be used:
* Accounts must be locked out for at least 1 minute after at most 10
consecutive login failures. Lockout time should escalate by doubling with each
sequential lockout or risk appropriate monitoring of repeated lockouts to
detect brute force attacks should be implemented.
* For accounts with availability concerns when account lockout is impractical,
the risk appropriate monitoring of repeated failed login attempts needs to be
added to detect brute force attacks
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
