Bug 1461640 - Account lockout period should increase with each successive lockout event
Summary: Account lockout period should increase with each successive lockout event
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Bugzilla
Classification: Community
Component: User Accounts
Version: 5.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: 5.0
Assignee: PnT DevOps Devs
QA Contact: tools-bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-06-15 03:56 UTC by Jeff Fearn 🐞
Modified: 2018-12-09 06:29 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-07-05 00:43:53 UTC
Embargoed:

Attachments (Terms of Use)

Description Jeff Fearn 🐞 2017-06-15 03:56:06 UTC 
Description of problem:
Currently the same lockout period is applied every time a lock out event is triggered, the lock out period should increase for each lockout event. 

Version-Release number of selected component (if applicable):
5.0

How reproducible:
Write a script and give it the wrong password.

Steps to Reproduce:
1. Write a script
2. enter valid user but invalid credentials
3. forget to check wtf is going on and blindly retry

Actual results:
Every 30 minutes you will get another shot at logging in and an email will be sent to the error list.

If you have multiple IPs you can do the same from each IP.

Expected results:
The lock out period should be based on the total number of failed logins in the DB. The entities in the DB should get deleted on a successful login.

Additional info:

e.g. ( count(youloginfailures) / MAX_LOGIN_ATTEMPTS ) *  LOGIN_LOCKOUT_INTERVAL ) minutes

(   5 / 5 ) * 30 =   30 minutes
( 150 / 5 ) * 30 =  900 minutes
( 352 / 5 ) * 30 = 2112 minutes
Comment 1 Jeff Fearn 🐞 2017-07-05 00:43:53 UTC 
The current value is a balance between user friendly and BOFH.
Note You need to log in before you can comment on or make changes to this bug.