View Issue Details

IDProjectCategoryView StatusLast Update
0005445OXID eShop (all versions)4.04. Securitypublic2022-02-01 14:43
Reporterhenrik.steffen Assigned To 
PrioritynormalSeverityfeatureReproducibilityalways
Status confirmedResolutionopen 
PlatformallOSallOS Versionall
Product Version4.7.8 / 5.0.8 
Summary0005445: Prevent multiple wrong password guesses by potential attackers
DescriptionAdd captchas after 3 invalid tries - or disable user account.
Or block more than 3 tries from the same ip-address (even on different usernames) to prevent automatic password tools from getting access to the shop.

TagsNo tags attached.
ThemeNot defined
BrowserAll
PHP VersionNot defined
Database VersionNot defined

Activities

vanilla thunder

2013-09-30 09:32

reporter   ~0009118

in my oppinion blocking failed login tries from the same ip even with differen usernames is not that good idea. I'm never sure which of my email addresses is have used in combination with what password. But indeed same ip + same username could be blocked after some amount of failed tries.

German "Trusted Shops" requires such a function and its quiet easy to build that.
Im pretty sure community would be happy about such a built-in feature, which already met requirements by trusted shops.

svetlana

2014-03-28 10:04

reporter   ~0009746

waiting for the PO decision.