You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, Authorizer maintains not only a per-user failed login counter, but also a global failed login counter for all attempts to log in as users that don't exist12.
Whenever the global lockout is triggered, a message like this is logged to Simple History:
Authorizer lockout triggered for 10 minutes on user wwwadmin after the 104th invalid attempt.
However, this doesn't actually mean someone tried 104 passwords on wwwadmin, but just that someone tried 104 passwords on several users, all non-existing. I think the message could be reworded to make this more clear, e.g.:
Authorizer lockout triggered for 10 minutes on all non-existent usernames after the 104th invalid attempt (latest non-existent username: wwwadmin).
The reworded message could help in debugging tricky issues like #138.
Footnotes
The reason for this is documented: If the plugin locked only existing user names, an attacker can find out if a user with a certain name exists by bombarding the page with invalid password attempts for that user. If the user gets locked, the attacker would have confirmed the user exists. Therefore, the plugin also counts login attempts for non-existent usernames. ↩
Currently, Authorizer maintains not only a per-user failed login counter, but also a global failed login counter for all attempts to log in as users that don't exist12.
Whenever the global lockout is triggered, a message like this is logged to Simple History:
However, this doesn't actually mean someone tried 104 passwords on
wwwadmin, but just that someone tried 104 passwords on several users, all non-existing. I think the message could be reworded to make this more clear, e.g.:The reworded message could help in debugging tricky issues like #138.
Footnotes
The reason for this is documented: If the plugin locked only existing user names, an attacker can find out if a user with a certain name exists by bombarding the page with invalid password attempts for that user. If the user gets locked, the attacker would have confirmed the user exists. Therefore, the plugin also counts login attempts for non-existent usernames. ↩
Furthermore, it also makes the plugin more robust and able to deal with complexities like these: https://github.com/uhm-coe/authorizer/issues/138#issuecomment-1930933507 ↩
The text was updated successfully, but these errors were encountered: