Question

Is Mendix using progressive delays for user lockouts?

1

I know that a user account is blocked for 5 minutes by default when it reaches 3 incorrect attempts. Mendix will unblock the user account after 5 minutes, so the person can log in again. However, against brute force attacks it is highly desirable to have for intance progressive delays for lockouts. Let's say the first time 5 minutes (default) and every new incorrect attempt during the lockout will double the lockout time. Is Mendix able to do this? Has anyone implemented this before? Also another option would be using captcha. Has anyone used this in combination with an alternative html login page (so the default Mendix login is not used here)? Is https://forum.mendix.com/questions/600/CAPTCHA-component a proper one? PS: I also know that this lockout period of time can be changed with 'ClusterManagerActionInterval', but I want to let the system work as is. Thanks.

asked 2014-02-13

Bart Poelmans

2 answers

1

Brute force is not likely, but I do want to play devil's advocate a little bit. IF the malicious party knows about the length or complexity constraints of the password, it makes a little easier to guess. Also, if the party knows anything about you (birthday, middle name, etc.), it also would affect the time needed to guess a password. This is usually the case when it comes to brute force.

Social engineering is one of the most prevalent ways now to get information from users. This is how most people get your information that you might use to create a password (Facebook, Twitter, etc.).

BTW, I think the CAPTCHA module has security issues (see the reviews in the App Store).

You could also think of implementing a SiteKey for mutual authentication, in the case you are worried about phising/pharming.

answered 2014-02-13

Jason Braswell

Chris de Gelder · Accepted Answer · 2014-02-13

Hi Bart, the interval is managed by Mendix, if it is not in, file a feature request.

BTW: brute force attack with 30/min*60*24=43200 attacks a day and a password with length 10 and 72 options per position (26 lowercase, 26 uppercase, 10 digits, 10 special chars) . Has 72^10 possibilities that will take 2.4x10^12 years to test all. Half of that time is the average time to find it. Quite sufficient.