rate limit log-in attempts

RESOLVED FIXED in 2014Q1

Status

P4
normal
RESOLVED FIXED
5 years ago
9 months ago

People

(Reporter: atopal, Assigned: rrosario)

Tracking

unspecified
2014Q1

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: u=sumo-team c=general p= s=2013.backlog)

(Reporter)

Description

5 years ago
Please limit user registrations to 1 per 24 hours.
(Reporter)

Comment 2

5 years ago
Sorry, I mixed this up. It should be log-in rate limiting, not sure about the way to do this though. It should limit the attacker, and not shut out the legitimate user.
Summary: rate limit user registrations. → rate limit log-in attempts
I am sure I sometimes log in more than once in 24 hours. Sometimes from different machines or OS accounts.

I somehow doubt I am not the only legitimate poster who would apparently be prevented from posting by this bug.
(In reply to John Hesling [:John99] from comment #3)
> I am sure I sometimes log in more than once in 24 hours. Sometimes from
> different machines or OS accounts.
> 
> I somehow doubt I am not the only legitimate poster who would apparently be
> prevented from posting by this bug.

Pretty sure this is about rate-limiting *attempts* which I think really is about failures and not successes. If that's true, then this shouldn't affect you.
1 per 24 hours seems very aggressive to me, and I re-iterate Will's question: why? What do we have that indicates this will help?

Additionally, what mechanism would we use to identify correlated login attempts? We could use the user account that you are attempting to log in to, but that doesn't the problem that I guess you are trying to solve (and I have to guess, since you didn't provide that information). We could use the IP address, but this is going to have severe issues for people who share IP addresses (see: Mozilla Offices).
(Assignee)

Comment 6

5 years ago
Pretty sure what we want to do here is limit to something that only a brute-force password-guessing script would hit. Maybe 100 fails per day?
(Assignee)

Comment 7

5 years ago
We decided to use a 3rd party library that protects our login form against many fail attempts. After 10 login failures, the IP address will be locked out. After an hour, the lockout will expire.

The pull request:
https://github.com/mozilla/kitsune/pull/1840

Landed on master:
https://github.com/mozilla/kitsune/commit/5a526f0c9a34f29c1ce885b387b7419774d1c0ed
https://github.com/mozilla/kitsune/commit/1a59ed6cc4015eef8792db237f0d87c815049238

I've deployed to prod now.
Assignee: nobody → rrosario
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Assignee)

Updated

5 years ago
Blocks: 956234
(Assignee)

Updated

5 years ago
Blocks: 951267
(Assignee)

Updated

5 years ago
No longer blocks: 956234
(Reporter)

Comment 8

5 years ago
To be sure, I suggested 1 per 24 hours when I was confused about the issue we were trying to solve, not for actual log-in attempts. The info in comment #7 seems just fine to me.

Updated

9 months ago
See Also: → bug 1430735
You need to log in before you can comment on or make changes to this bug.