Uploaded image for project: 'James Server'
  1. James Server
  2. JAMES-3669

Delay on authentication failure

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • master
    • None
    • UsersStore & UsersRepository
    • None

    Description

      For standalone James installations, there should be some basic protection against people/bots abusing James as a password oracle for brute-force/dictionary attacks. This needs to be enforced in a central location, so it affects all of the various protocols supported by James.

      This proposal adds an option verifyFailureDelay to usersrepository.xml, which delays the response if someone tries to authenticate with a non-existing user orĀ 
      wrong password. There is intentionally no distinction between these two cases, so it also covers username guessing attacks.

      Introducing this feature should not affect existing James installations, so the default is 0 delay/disabled.

      T-Shirt size S.

      Attachments

        Issue Links

          links to

          Web Link GitHub Pull Request #746

          Activity

            People

              Unassigned Unassigned
              kotto Karsten Otto
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1h 10m
                  1h 10m