Task #1529
closed
Task #1503: Testing of the product (9.4.0)
Pwd policy: Misleading message when a correct password is entered
0%
Description
TC-97: Password: blocking a user after x failed login attempts
https://kiwi.czechidm.com/case/97
@affected version 9.4.0
(Scenario a)
1st failed attempt to log in: Chybné přihlašovací údaje
2nd failed attempt: Chybné přihlašovací údaje
3rd CORRECT attempt: Chybné přihlašovací údaje (no mention of being blocked)
When I type in a correct password at this stage, I definitely should not get the same message (as when I type in an incorrect password the first two times) because this will make me think that the password I remember is, in fact, incorrect to begin with. If I keep trying with the correct password, without being aware of being blocked (after the x-th failed attempt), I will promptly turn to Admin to reset the password - WHICH MAKES PARTS OF CODE ABSOLUTELY REDUNDANT (blocking time that is to elapse after some time, etc.).
I suggest changing the message after the (x+1)th attempt to this:
(Czech)
Zaznamenali jsme sérii chybných pokusů o přihlášení. Pro tuto chvíli se bohužel už nepřihlásíte, a to ani při zadání správného hesla. Nechte si náležitý čas na rozmyšlenou, který určilo vaše bezpečnostní oddělení, a zkuste to znovu. Se správnými údaji se vám přihlášení podaří.
(English)
We've detected a number of failed login attempts. For now, you will not be able to log in. Sorry. Please try again later at a more opportune moment, enforced by your security department.
Updated by Ondřej Kopr almost 6 years ago
- Status changed from New to In Progress
Updated by Ondřej Kopr almost 6 years ago
- Status changed from In Progress to Rejected
- Assignee changed from Ondřej Kopr to milus kotisova
After consultation with team isn't good show some another message because security reason is too big. Maybe in future will be implement some feature that allow block login for non existing identities, or feature blacklist for attacker (maybe IPs?)
Use case:
attacker try login with non existing username and password and after several login attemps will be this attacker blocked.
Updated by Alena Peterová almost 6 years ago
Well, it's easy to distinguish non-existing username from existing username, because the login attempt for existing username with incorrect password is about 1.5s and login attempt for non-existing username is about 3x quicker. At least in my environment (authentication against remote system may slow it down a bit, but still...).
So these security reasons don't work. Only the message is misleading. Could you please reopen the issue and discuss it again?
Updated by Alena Peterová almost 6 years ago
- Assignee changed from milus kotisova to Ondřej Kopr
Updated by Alena Peterová almost 6 years ago
Sorry, I reacted for a bit different scenario - I think we should display the message about blocked login, if the password is correct OR incorrect. As Miluš suggested. So the attacker doesn't know if the password he tried is wrong or correct. But the users know that it's useless to try.
Then the only thing which attackers could know from the message is the information about correct login - which he knows already due to slower response in his previous attempts.
Updated by Ondřej Kopr almost 6 years ago
- Status changed from Rejected to In Progress
- Assignee changed from Ondřej Kopr to Alena Peterová
Alena Peterová wrote:
So these security reasons don't work. Only the message is misleading. Could you please reopen the issue and discuss it again?
Please could you ask you for help with final analyze the best solution? I consulted this with several people and the result is big lacks of security when IdM show information about block login directly in IdM (attacker know the login).
I implement whatever you want, but the problem is request for this :( thank you.
Updated by Ondřej Kopr almost 6 years ago
Alena Peterová wrote:
Only the message is misleading.
Message isn't misleading, but Milus doesn't know about notification (email) that is send to blocked identity.
Updated by Alena Peterová almost 6 years ago
Ondřej Kopr wrote:
Alena Peterová wrote:
Only the message is misleading.
Message isn't misleading, but Milus doesn't know about notification (email) that is send to blocked identity.
The message in GUI is misleading = it doesn't tell the truth :-) I know about mail notification, but the notification doesn't always come to the user (e.g. new user who doesn't have access to his mail yet, he must set up is password through IdM. Or he just doesn't notice the message in time when he tries to login to IdM).
As I said in #1529#note-4, I think there is no new security risk in showing the message "Your account is blocked". The attacker can guess the login just from the response time. This security risk can be prevented only by the blacklisting you mentioned in #1529#note-3 or something.
Updated by Vít Švanda almost 6 years ago
- Status changed from In Progress to Rejected
There is no general agreement around this topic. The current behavior remains unchanged for now.