You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Andrew Luo (Jira)" <ji...@apache.org> on 2023/02/21 12:37:00 UTC

[jira] [Commented] (RANGER-2362) [security] Admin webui - Lack of account lockout

    [ https://issues.apache.org/jira/browse/RANGER-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17691577#comment-17691577 ] 

Andrew Luo commented on RANGER-2362:
------------------------------------

The patch for this creates a bug: [RANGER-4104] XXAuthSessionDao.getRecentAuthFailureCountByLoginId produces incorrect SQL code - ASF JIRA (apache.org)

> [security] Admin webui - Lack of account lockout
> ------------------------------------------------
>
>                 Key: RANGER-2362
>                 URL: https://issues.apache.org/jira/browse/RANGER-2362
>             Project: Ranger
>          Issue Type: Bug
>          Components: admin, Ranger
>    Affects Versions: 1.0.0
>            Reporter: t oo
>            Assignee: kirby zhou
>            Priority: Major
>             Fix For: 3.0.0, 2.3.0
>
>
> |Account lockout is a mechanism used to stop non-valid users from guessing for the right password. It is also a protection against brute force attacks wherein an automated system can use common/dictionary passwords or even build passwords based on set of characters just to try to guess the valid one.|
> |The application does not implement an account lockout mechanism, leaving it susceptible to brute force attacks. These login pages were susceptible to this condition.|
> |It is possible for an attacker to use dictionary or brute force attacks and set it to attempt sending the requests on a particular amount of time to bypass the validation. Once a username has been correctly guessed, the attacker may then be able to gain access to the application. Since it is vulnerable to Form Auto Complete Active vulnerability (LINK) which makes the email addresses easier to guess, it will make brute force attack to more likely possible.
> |Enforce account lockout conditions to prevent intrusions and improve password requirements and complexities to avoid the chances of brute force and dictionary attacks from working.|
> |



--
This message was sent by Atlassian Jira
(v8.20.10#820010)