Lock accounts after X failed attempts
|Category:||Accounts / authentication|
I believe Redmine should have the functionality available to put accounts in to a locked state after so many failed login attempts. The number of failed attempts should be configurable via the Administration panel. Notification to an administrator e-mail address that the account was locked is desired as well.
I am surprised this feature has not made it in to Redmine yet. Could this be something that makes it in to a 0.9 release? I plan on exposing my Redmine instance to more than just internal folk within the next 6mo-1yr. I do not want to give any external entity the ability to brute force my password.
#5 Updated by Alexander J. Murmann over 9 years ago
- % Done changed from 0 to 50
I can see the following alternatives:
- After a timeout, as suggested earlier
- Notification email contains a link that will unlock the account again
- You have to deal with an admin outside the system and he has to manually unlock it
- Go through "forgot password" and reset the password and when the password is reset the account will be unlocked.
I personally think that 2. would be best.
Any thoughts about this or other suggestions?
#7 Updated by Alexander J. Murmann over 9 years ago
- File login_attempts.diff added
I implemented solution 2. Although if there is need it should be very easy to add an option to use 3. in addition.
Attached is a patch that should allow the admin to define a number of allowed login attempts and the address of an admin.
If a user fails to login the flash-message will show how many logins are left. If none are left the flash tells so and the account gets locked. A mail informing the provided admin address will be send. The suer will also receive a mail telling him what happened and providing a link to reactivate the account.
However since I am a bad boy I didn't write unit tests yet. So there still might be something wrong. I will provide another patch which will include tests later this week.