Locking out users after unsuccessful logins
Is there any way in JATOS to lock users out after too many failed login attempts? Or a similar mechanism to discourage/prevent password-cracking attempts?
e.g. if I know a user's ID, and write a python script to try to guess their password by sending requests to the login page with different passwords (e.g. every word in the dictionary, etc.) could I succeed?
A number of other systems I've used support some kind of user lockout after, say, five incorrect attempts, unlocking them automatically after delay that's short enough to be tolerable for a frustrated real user, but log enough to make a dictionary attack impractical.
Obviously this would protect participant data, but if JATOS is integrated with a University user authentication system, then without such protection, JATOS would become a vector for cracking more widely used (and higher stakes) user IDs.
Comments
JATOS has already a one minute delay after three unsuccessful authentication attempts. This definitely applies for normal (database) logins. But I have to check in JATOS' source code if this applies to other methods like LDAP or OAuth as well. Will report back.
Thanks! Actually, I just tried it, and you're right, it locks me out for a minute after three unsuccessful attempts with an LDAP user.
Sorry I didn't just try it out before to see what happened.