You are viewing a plain text version of this content. The canonical link for it is here.

Posted to server-dev@james.apache.org by "Karsten Otto (Jira)" <se...@james.apache.org> on 2021/11/12 08:03:00 UTC

[jira] [Created] (JAMES-3669) Delay on authentication failure

Karsten Otto created JAMES-3669:
-----------------------------------

             Summary: Delay on authentication failure
                 Key: JAMES-3669
                 URL: https://issues.apache.org/jira/browse/JAMES-3669
             Project: James Server
          Issue Type: Improvement
          Components: UsersStore &amp; UsersRepository
    Affects Versions: master
            Reporter: Karsten Otto


For standalone James installations, there should be some basic protection against people/bots abusing James as a password oracle for brute-force/dictionary attacks. This needs to be enforced in a central location, so it affects all of the various protocols supported by James.

This proposal adds an option {{verifyFailureDelay}} to {{usersrepository.xml, which}} delays the response if someone tries to authenticate with a non-existing user or 
wrong password. There is intentionally no distinction between these two cases, so it also covers username guessing attacks.

Introducing this feature should not affect existing James installations, so the default is 0 delay/disabled.

T-Shirt size S.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org