Red Hat Bugzilla – Bug 1461640
Account lockout period should increase with each successive lockout event
Last modified: 2017-07-04 20:43:53 EDT
Description of problem:
Currently the same lockout period is applied every time a lock out event is triggered, the lock out period should increase for each lockout event.
Version-Release number of selected component (if applicable):
Write a script and give it the wrong password.
Steps to Reproduce:
1. Write a script
2. enter valid user but invalid credentials
3. forget to check wtf is going on and blindly retry
Every 30 minutes you will get another shot at logging in and an email will be sent to the error list.
If you have multiple IPs you can do the same from each IP.
The lock out period should be based on the total number of failed logins in the DB. The entities in the DB should get deleted on a successful login.
e.g. ( count(youloginfailures) / MAX_LOGIN_ATTEMPTS ) * LOGIN_LOCKOUT_INTERVAL ) minutes
( 5 / 5 ) * 30 = 30 minutes
( 150 / 5 ) * 30 = 900 minutes
( 352 / 5 ) * 30 = 2112 minutes
The current value is a balance between user friendly and BOFH.