Difference between revisions of "Brute Force Login Prevention"
From OpenEMR Project Wiki
Bradymiller (talk | contribs) |
Bradymiller (talk | contribs) |
||
| Line 1: | Line 1: | ||
= Overview = | = Overview = | ||
:*Prior to OpenEMR 7.0.1(1), the global configuration setting Security->"Maximum Failed Login Attempts" could be set to shut down logins from users that exceeded the set number of failed logins. This prevented brute force login, however, was difficult to administer (for example, required manual fixes directly in mysql database for an administrator to reset a user's account so they could login | :*Prior to OpenEMR 7.0.1(1), the global configuration setting Security->"Maximum Failed Login Attempts" could be set to shut down logins from users that exceeded the set number of failed logins. This prevented brute force login, however, was difficult to administer (for example, required manual fixes directly in mysql database for an administrator to reset a user's account so they could login again). | ||
:*For OpenEMR 7.0.1(1) and subsequent versions, this was upgraded to: | :*For OpenEMR 7.0.1(1) and subsequent versions, this was upgraded to: | ||
::*Allow easy reset of the number of failed logins by the administrator in OpenEMR's user interface. | ::*Allow easy reset of the number of failed logins by the administrator in OpenEMR's user interface. | ||
Revision as of 06:10, 17 May 2023
Overview
- Prior to OpenEMR 7.0.1(1), the global configuration setting Security->"Maximum Failed Login Attempts" could be set to shut down logins from users that exceeded the set number of failed logins. This prevented brute force login, however, was difficult to administer (for example, required manual fixes directly in mysql database for an administrator to reset a user's account so they could login again).
- For OpenEMR 7.0.1(1) and subsequent versions, this was upgraded to:
- Allow easy reset of the number of failed logins by the administrator in OpenEMR's user interface.
- Introduce a time out where the number of failed logins is reset.
- Introduce the mechanism for both users and ip addresses.
- Users with the Security->"Maximum Failed Login Attempts For User" and Security->"Time (seconds) to Reset Maximum Failed Login Attempts For User" settings.
- IP Addresses with the Security->"Maximum Failed Login Attempts From IP Address" and Security->"Time (seconds) to Reset Maximum Failed Login Attempts From IP Address" settings.
- These features by turn on be default with following settings:
- Security->"Maximum Failed Login Attempts For User" is 20
