Security suggestion: Why not block login after several false login attempts?

feature-request

#1

We know that all kinds of IT infrastructure is subject to brute force attacs - bots just trying billions of passwords till - by accidet - it finds the right one.

I wonder whether it wouldn't be a good thing to implement an algorithm which eg

  • blocks login after 3 false login attempts for one minute
  • then allows another 2 failed attempts and blocks login for 5 minutes
  • then allows one last failed attempt and then blocks it forever till action is taken - eg respond to an unlock instructions email, which may require to send an unlock key file, a master password - or whatever.

Numbers for the schedule above of course can vary - we could set up different security profiles from which the admin can choose.

I'd really like to know what security experts think about this thought.

Cheers,
Wolf


#2

Hi,

this is already possible with e.g. fail2ban as seen in [1].

It makes no sense to implement such blocking in PHP as e.g. done by Nextcloud. This just brings a false sense of security. Such blocking needs to be done on OS layer and not on Application Layer within PHP for the reasons as e.g. described in [2]

[1]

[2] https://github.com/owncloud/core/issues/1580#issuecomment-267144815