Project

General

Profile

Actions

Task #1529

closed

Task #1503: Testing of the product (9.4.0)

Pwd policy: Misleading message when a correct password is entered

Added by milus kotisova almost 6 years ago. Updated almost 6 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
Alena Peterová
Category:
Password policy
Target version:
-
Start date:
02/21/2019
Due date:
% Done:

0%

Estimated time:
Owner:

Description

TC-97: Password: blocking a user after x failed login attempts
https://kiwi.czechidm.com/case/97

@affected version 9.4.0

(Scenario a)
1st failed attempt to log in: Chybné přihlašovací údaje
2nd failed attempt: Chybné přihlašovací údaje
3rd CORRECT attempt: Chybné přihlašovací údaje (no mention of being blocked)

When I type in a correct password at this stage, I definitely should not get the same message (as when I type in an incorrect password the first two times) because this will make me think that the password I remember is, in fact, incorrect to begin with. If I keep trying with the correct password, without being aware of being blocked (after the x-th failed attempt), I will promptly turn to Admin to reset the password - WHICH MAKES PARTS OF CODE ABSOLUTELY REDUNDANT (blocking time that is to elapse after some time, etc.).

I suggest changing the message after the (x+1)th attempt to this:
(Czech)
Zaznamenali jsme sérii chybných pokusů o přihlášení. Pro tuto chvíli se bohužel už nepřihlásíte, a to ani při zadání správného hesla. Nechte si náležitý čas na rozmyšlenou, který určilo vaše bezpečnostní oddělení, a zkuste to znovu. Se správnými údaji se vám přihlášení podaří.

(English)
We've detected a number of failed login attempts. For now, you will not be able to log in. Sorry. Please try again later at a more opportune moment, enforced by your security department.

Actions #1

Updated by Ondřej Kopr almost 6 years ago

  • Status changed from New to In Progress
Actions #2

Updated by Radek Tomiška almost 6 years ago

  • Tracker changed from Defect to Task
Actions #3

Updated by Ondřej Kopr almost 6 years ago

  • Status changed from In Progress to Rejected
  • Assignee changed from Ondřej Kopr to milus kotisova

After consultation with team isn't good show some another message because security reason is too big. Maybe in future will be implement some feature that allow block login for non existing identities, or feature blacklist for attacker (maybe IPs?)

Use case:
attacker try login with non existing username and password and after several login attemps will be this attacker blocked.

Actions #4

Updated by Alena Peterová almost 6 years ago

Well, it's easy to distinguish non-existing username from existing username, because the login attempt for existing username with incorrect password is about 1.5s and login attempt for non-existing username is about 3x quicker. At least in my environment (authentication against remote system may slow it down a bit, but still...).

So these security reasons don't work. Only the message is misleading. Could you please reopen the issue and discuss it again?

Actions #5

Updated by Alena Peterová almost 6 years ago

  • Assignee changed from milus kotisova to Ondřej Kopr
Actions #6

Updated by Alena Peterová almost 6 years ago

Sorry, I reacted for a bit different scenario - I think we should display the message about blocked login, if the password is correct OR incorrect. As Miluš suggested. So the attacker doesn't know if the password he tried is wrong or correct. But the users know that it's useless to try.
Then the only thing which attackers could know from the message is the information about correct login - which he knows already due to slower response in his previous attempts.

Actions #7

Updated by Ondřej Kopr almost 6 years ago

  • Status changed from Rejected to In Progress
  • Assignee changed from Ondřej Kopr to Alena Peterová

Alena Peterová wrote:

So these security reasons don't work. Only the message is misleading. Could you please reopen the issue and discuss it again?

Please could you ask you for help with final analyze the best solution? I consulted this with several people and the result is big lacks of security when IdM show information about block login directly in IdM (attacker know the login).

I implement whatever you want, but the problem is request for this :( thank you.

Actions #8

Updated by Ondřej Kopr almost 6 years ago

Alena Peterová wrote:

Only the message is misleading.

Message isn't misleading, but Milus doesn't know about notification (email) that is send to blocked identity.

Actions #9

Updated by Alena Peterová almost 6 years ago

Ondřej Kopr wrote:

Alena Peterová wrote:

Only the message is misleading.

Message isn't misleading, but Milus doesn't know about notification (email) that is send to blocked identity.

The message in GUI is misleading = it doesn't tell the truth :-) I know about mail notification, but the notification doesn't always come to the user (e.g. new user who doesn't have access to his mail yet, he must set up is password through IdM. Or he just doesn't notice the message in time when he tries to login to IdM).
As I said in #1529#note-4, I think there is no new security risk in showing the message "Your account is blocked". The attacker can guess the login just from the response time. This security risk can be prevented only by the blacklisting you mentioned in #1529#note-3 or something.

Actions #10

Updated by Vít Švanda almost 6 years ago

  • Status changed from In Progress to Rejected

There is no general agreement around this topic. The current behavior remains unchanged for now.

Actions

Also available in: Atom PDF