Declined Suggested 2/3/2019 by Andreas

12

votes

Extra security to the invalid login attempts (maximum limit for invalid login attempts).

In security wise it would be safer if the user account would be temporarily blocked/suspended if too many invalid login attempts are made.
At this moment the helpdesk application is allowing 5 invalid login attempts then there has to be a gap for 5 minutes and then again 5 invalid login attempts are allowed and it continues the same way endlessly. This means that there is no limit for invalid login attempts.

There are different ways to add extra security to the user account and the invalid login attempts.
For an example if too many invalid login attempts are made then the user account will be temporarily suspended and an email is sent to the user account email address with the link to activate the user account and change the password.

avatar
Alex Tech
The danger of blocking/disabling a user account after invalid logins is that introduces a new attack surface. Anyone can block anyone's account! A hacker can write a quick script to keep all your users disabled 24/7.
3/4/2019 5:22 AM
avatar
Andreas
Hi Alex, thank You for Your feedback. Well that’s also an argument.
Perhaps there would be some other way to add the extra security to the invalid login attempts.
If blocking/disabling a user account is not a good idea then perhaps sending an email notification to user about the invalid login attempts?
I just feel that some extra security to the invalid login attempts would more give peace of mind.
3/4/2019 5:42 AM
avatar
Alex Tech
We have almost finished working on a new "progressive delays" feature (per user) that will increase the ban time with every failed attempt and also show catpcha-image after the 2nd attempt. I'm gonna close this idea anyways since we're not going to implement the exact feature described, but thanks for bringing this up, we'll advance faster
3/6/2019 3:18 PM

Log in to comment...
get help Get help for this page
Powered by Jitbit HelpDesk