View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005445 | OXID eShop (all versions) | 4.04. Security | public | 2013-09-29 14:51 | 2022-02-01 14:43 |
| Reporter | henrik.steffen | Assigned To | |||
| Priority | normal | Severity | feature | Reproducibility | always |
| Status | confirmed | Resolution | open | ||
| Platform | all | OS | all | OS Version | all |
| Product Version | 4.7.8 / 5.0.8 | ||||
| Summary | 0005445: Prevent multiple wrong password guesses by potential attackers | ||||
| Description | Add captchas after 3 invalid tries - or disable user account. Or block more than 3 tries from the same ip-address (even on different usernames) to prevent automatic password tools from getting access to the shop. | ||||
| Tags | No tags attached. | ||||
| Theme | Not defined | ||||
| Browser | All | ||||
| PHP Version | Not defined | ||||
| Database Version | Not defined | ||||
|
|
in my oppinion blocking failed login tries from the same ip even with differen usernames is not that good idea. I'm never sure which of my email addresses is have used in combination with what password. But indeed same ip + same username could be blocked after some amount of failed tries. German "Trusted Shops" requires such a function and its quiet easy to build that. Im pretty sure community would be happy about such a built-in feature, which already met requirements by trusted shops. |
|
|
waiting for the PO decision. |
