Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve login requirements #59

Closed
6 tasks done
bartvanb opened this issue Dec 1, 2021 · 4 comments · Fixed by #231 or #281
Closed
6 tasks done

Improve login requirements #59

bartvanb opened this issue Dec 1, 2021 · 4 comments · Fixed by #231 or #281
Assignees
Labels
good first issue Good for newcomers

Comments

@bartvanb
Copy link
Member

bartvanb commented Dec 1, 2021

Attackers can currently do unlimited attempts to retrieve user passwords. There are a few good practices we may add to improve this.

I think the following would be nice:

  • Do not show message 'username does not exist' as it can inform attacker which usernames actually have accounts
  • Maximum number of login attempts: 5, then block 15min (except when reset via email)*
  • Minimum password length: 8
  • Maximum password length: 128 (https://www.acunetix.com/vulnerabilities/web/long-password-denial-of-service/)
  • Include special character (0-9a-zA-Z special characters)
  • Make sure that when creating new server, root user is properly created

*these are default values that may be adapted in the server config file

@bartvanb
Copy link
Member Author

bartvanb commented Mar 2, 2022

Take care that these checks are done in all cases that a password can be created/edited

@bartvanb bartvanb transferred this issue from IKNL/vantage6-server May 16, 2022
@bartvanb bartvanb added the good first issue Good for newcomers label Jul 5, 2022
@bartvanb bartvanb self-assigned this Jul 11, 2022
@bartvanb
Copy link
Member Author

bartvanb commented Aug 2, 2022

Note: not all of this is backwards compatible so maybe in 4.0?

@bartvanb
Copy link
Member Author

bartvanb commented Aug 3, 2022

Login attempts: 3, block time 15min

@bartvanb
Copy link
Member Author

The password requirements are not checked yet when creating a new user

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
good first issue Good for newcomers
Projects
Status: Done
1 participant