Changes between Version 1 and Version 5 of Ticket #36651


Ignore:
Timestamp:
Oct 17, 2025, 1:10:14 AM (3 weeks ago)
Author:
heindrickdumdum0217
Comment:

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #36651

    • Property Resolutioninvalid
    • Property Status newclosed
    • Property Summary Security concerrn in ModelBackendBrute-force password attack against inactive users returns distinct error message

  • Ticket #36651 – Description

    v1 v5  
    2121
    2222We have implemented user account lock after 3 consecutive failed login attempts.
    23 When user try to login in 4-th item we have to show correct error message about user account is locked, but for now it's impossible without rewriting "authenticate" function again.
     23When user try to login in 4-th item we have to show correct error message about account is locked, but for now it's impossible without rewriting "authenticate" function again.
    2424
    25 But the current code checks password first, then check user can authenticate.
    26 It means if user receives different error message, user can sure at least username and password are correct.
     25The current code checks password first, then check user can authenticate.
     26It means if user receives different error message, attacker can sure at least username and password are correct.
    2727It may allow hackers can try with different password as many as times until they receive different error message.
    2828
Back to Top