View Issue Details

IDProjectCategoryView StatusLast Update
0026361mantisbtsecuritypublic2021-10-12 14:34
Reporterjcamara Assigned To 
Status newResolutionopen 
Product Version2.22.0 
Summary0026361: Avoid multiple login attempts

Our security department suggests include a feature to avoid multiple login attempts in order to increase access security level.

It could be:

  • reCaptcha
  • Temporary IP block

This feature may be activated on first login access failure.

TagsNo tags attached.


related to 0029167 new Please enable the captcha in login page 




2019-11-15 08:50

developer   ~0063100

We already have a feature that will lock the users' account after a predetermined, configurable number of failed attempts. See $g_max_failed_login_count(OFF by default).

I'm not sure if that satisfies your requirement. If not, then please be more precise in your specification of how you expect the system to behave.



2019-11-15 09:11

reporter   ~0063101

It could be a solution, but in order to prevent an attack over a known username (like jcamara) that derives in a user lock, the suggestion is:

  • Use a captcha, like Google reCaptcha, to implement a control over bots.
  • Block access from an IP (not the user) exceeding max failed login count.

In an extreme case, there may be an external attack using a set of specific usernames that results in an account lock.