Bug 1461640

Summary: Account lockout period should increase with each successive lockout event
Product: [Community] Bugzilla Reporter: Jeff Fearn 🐞 <jfearn>
Component: User AccountsAssignee: PnT DevOps Devs <hss-ied-bugs>
Status: CLOSED NOTABUG QA Contact: tools-bugs <tools-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.0CC: qgong, yijli
Target Milestone: 5.0   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-05 00:43:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeff Fearn 🐞 2017-06-15 03:56:06 UTC 
Description of problem:
Currently the same lockout period is applied every time a lock out event is triggered, the lock out period should increase for each lockout event. 

Version-Release number of selected component (if applicable):
5.0

How reproducible:
Write a script and give it the wrong password.

Steps to Reproduce:
1. Write a script
2. enter valid user but invalid credentials
3. forget to check wtf is going on and blindly retry

Actual results:
Every 30 minutes you will get another shot at logging in and an email will be sent to the error list.

If you have multiple IPs you can do the same from each IP.

Expected results:
The lock out period should be based on the total number of failed logins in the DB. The entities in the DB should get deleted on a successful login.

Additional info:

e.g. ( count(youloginfailures) / MAX_LOGIN_ATTEMPTS ) *  LOGIN_LOCKOUT_INTERVAL ) minutes

(   5 / 5 ) * 30 =   30 minutes
( 150 / 5 ) * 30 =  900 minutes
( 352 / 5 ) * 30 = 2112 minutes
Comment 1 Jeff Fearn 🐞 2017-07-05 00:43:53 UTC 
The current value is a balance between user friendly and BOFH.