testnet icon indicating copy to clipboard operation
testnet copied to clipboard
verified publisher icon interledger

Prevent Brute force attacks - Support rate limiting login attempts

Open Tymmmy opened this issue 1 year ago • 3 comments

Context

Currently a user can try to login with a bad password as much as he wants, which means the site is vulnerable to brute force attacks. This means users accounts can be compromised.

Todos

Implement a rate limit feature to limit login attempts

Tymmmy avatar Sep 12 '24 12:09 Tymmmy

The comment that was left in the auth section for the wallet backend regarding timing attacks is not related to the number of emails/limiting. What is mentioned in this issue can be another feature, but it's not related to timing attacks.

The timing attacks can happen when we compare hashes (doing cryptography - in our case, when we verify the given password for the user).

https://github.com/interledger/testnet/blob/2e01fb96d51d7796510ba321525f40d288779f8c/packages/wallet/backend/src/auth/service.ts#L89-L98

Useful links:

raducristianpopa avatar Sep 17 '24 05:09 raducristianpopa

@adrianboros so the story above still stands, but looks like 'timing attacks' are more cryptography related, then sending a lot of emails. Just FYI

Tymmmy avatar Sep 17 '24 06:09 Tymmmy

@Tymmmy yes, this story is one of the countermeasure for brute force attacks, still something we should have. Let's split this in two separate issues.

adrianboros avatar Sep 17 '24 06:09 adrianboros