Feature #1530
closed
Task #1503: Testing of the product (9.4.0)
Login block (2nd in a row) behaves differently after the elapse of 1st block
Added by milus kotisova almost 6 years ago.
Updated over 5 years ago.
Description
TC 97 (scenario b) Password: blocking a user after x failed login attempts
@affected version 9.4.0
The same rule (say, maximum 2 failed attempts) should apply again and again, once a previous blocking time has elapsed, starting from scratch, allowing the user to enter 2 wrong passwords each time.
The test case was that the first blocking period has elapsed. After an elapse of that period, I logged in unsuccessfully just once more, but my second only attempt was using the correct password, but I was blocked right after the first attempt this time. Which is unexpected, given the set policy.
The user should not be stopped indefinitely from entering wrong passwords but instead get a new chance of entering 2 or x wrong passwords each time a blocking period has elapsed.
- Target version set to Quartz (9.6.0)
- Tracker changed from Defect to Feature
- Status changed from New to In Progress
This feature will be little bit upgraded:
new behavior: after user reached max unsuccessful attempts will be blocked for seconds that is defined in password policy. After blocking date expires and user still try login and failed. New date block will be multiplied by 2. After next attemps will be multiplied by 3, and .... To user will be sent message directly to gui with information about block login.
original behavior: when user reached max unsuccessful attempts during seconds that is defined in password policy, the user will be blocked with message in gui.
Ondřej Kopr wrote:
This feature will be little bit upgraded:
new behavior: after user reached max unsuccessful attempts will be blocked for seconds that is defined in password policy. After blocking date expires and user still try login and failed. New date block will be multiplied by 2. After next attemps will be multiplied by 3, and .... To user will be sent message directly to gui with information about block login
From my point of view, this really is overkill. Blocking period is fine to prevent brute force attacks. These types of attacks are based on huge amount of attempts in short period of time (ms) and any delay that is in higher order ( tens of seconds or even minutes) is good enough. If this is not enought, then the password policy itself is really bad.
Expected behaviour by me is just telling the user "limit reached, wait 5minutes" and wait. Then reset the counter.
- % Done changed from 0 to 10
- Status changed from In Progress to Needs feedback
- % Done changed from 10 to 90
- Assignee changed from Ondřej Kopr to Vít Švanda
- Status changed from Needs feedback to Resolved
- Assignee changed from Vít Švanda to Ondřej Kopr
- % Done changed from 90 to 100
I tested it. Now it is more UX. Thanks for that.
- Status changed from Resolved to Closed
Also available in: Atom
PDF
