Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-8272

[Broker-J] Add ability to disable(lock) the account and/or report the number of failed login attempts when the number of consecutive logon attempts exceeds predefined threshold

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: qpid-java-broker-8.0.0
    • Component/s: Broker-J
    • Labels:
      None

      Description

      Add ability to disable(lock) the account when the number of consecutive logon attempts exceeds predefined threshold.

      The different locking policies can be applied for interactive and non interactive accounts.

      For example, for interactive accounts the following can be used:

      • If the account password length is 8 to 15 characters the account must be locked out until reset after at most 10 consecutive login failures.
      • If the account password length is 16 characters the account must lock out for at least 1 minute after at most 10 consecutive login failures.

      For non-interactive accounts the following can be used:

      • Accounts must be locked out for at least 1 minute after at most 10 consecutive login failures. Lockout time should escalate by doubling with each sequential lockout or risk appropriate monitoring of repeated lockouts to detect brute force attacks should be implemented.
      • For accounts with availability concerns when account lockout is impractical, the risk appropriate monitoring of repeated failed login attempts needs to be added to detect brute force attacks

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              orudyy Alex Rudyy
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: