Provide option to lockout users after number of invalid password attempts

RESOLVED DUPLICATE of bug 355283

Status

()

P2
enhancement
RESOLVED DUPLICATE of bug 355283
10 years ago
10 years ago

People

(Reporter: graeme, Assigned: mkanat)

Tracking

Details

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9) Gecko/2008052906 Firefox/3.0
Build Identifier: Bugzilla 3.0.4

It would be useful to be able to setup a limit on the number of unsuccessful attempts a user may have before their account becomes "locked out". 

On a publically accessible system, this is not perhaps useful, but within some industries there are requirements for users to be locked out after a number of unsuccessful login attempts (eg FDA - CFR21 Part 11 compliance). 

Suggest that the lockout applies regardless of authentication mechanism (DB or LDAP), and would need a way of recording a count of invalid login attempts internally. The lockout would need to be different to a disabled account (since disabled accounts are displayed with a strikethrough in the UI - for a locked out user account this wouldn't be required).

Within parameters, an extra option in User Authentication would allow setting of the limit, or disabling of lockout by setting the parameter to zero (default). 

Reproducible: Always
(Assignee)

Comment 1

10 years ago
Agreed! I have no idea if this is a dupe, though.

In fact, the Mozilla Corporation has hired my company to implement this for bugzilla.mozilla.org as of just about a week ago. :-)
Assignee: user-accounts → mkanat
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P2
(Reporter)

Comment 2

10 years ago
(In reply to comment #1)

> I have no idea if this is a dupe, though.

Had a good look and couldn't see one :) 

Another thought on this would be to have an option for a user/group of users to receive a notification email when a user is locked out (again - not necessarily desirable in all situations, but covers a host of regulatory requirements).

Comment 3

10 years ago
The reason you couldn't find a dupe is because you cannot see it.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 355283

Comment 4

10 years ago
Marking as a security bug as it's a dupe of a security bug.
Group: bugzilla-security

Comment 5

10 years ago
Bug 355283 is no longer in the security group. Clearing the security flag here as well.
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.