Global delays after password failure

[stefwalter]

Go over

​http://stackoverflow.com/questions/549/the-definitive-guide-to-forms-based-website-authentication

and see whether there is anything in it for us.

[cgwalters]

One thing I think we should to do for password auth is implement some sort of delay for repeated authentication failures. Even with a strong password policy, many people use the similar passwords across multiple systems with different prefix/suffixes. For these types of things it's only a matter of time before brute force makes it through, we should make it take longer, in the hope that the user has time to change the password.

[stefwalter]

Good point, although this can't be done naively, and needs to be coordinated multiple connections.

[stefwalter]

Notes on our implementation, based on recommendation in the article.

Stuff that's recommended, which we implement:

• We set HttpOnly and Secure (when on https)
• We use https
• Our cookie contains no information, just a server side unpredictable token, generated using HMAC.
• We never store cookie in persistent storage.
• Passwords are system passwords subject to strength checks configured on the system.

Doesn't apply:

• No CAPTCHA
• No persistent login cookies.
• No secret questions.
• No forgotten password functionality (well standard linux single user mode is recourse there)

Delays after failed authentication currently work via PAM. If we want to do something globally, then we can implement that later. Leaving this bug open for more discussion there.

[stefwalter]

This needs to be implemented at the server level for it to make any sense. Cockpit is merely one of many ways to log into a system.