Brute Force Login Prevention

From OpenEMR Project Wiki
Revision as of 06:09, 17 May 2023 by Bradymiller (talk | contribs) (Created page with "= Overview = :Prior to OpenEMR 7.0.1(1), the global configuration setting Security->"Maximum Failed Login Attempts" could be set to shut down logins from users that exceeded t...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Overview

Prior to OpenEMR 7.0.1(1), the global configuration setting Security->"Maximum Failed Login Attempts" could be set to shut down logins from users that exceeded the set number of failed logins. This prevented brute force login, however, was difficult to administer (for example, required manual fixes directly in mysql database for an administrator to reset a user's account so they could login in).
For OpenEMR 7.0.1(1) and subsequent versions, this was upgraded to:
  • Allow easy reset of the number of failed logins by the administrator in OpenEMR's user interface.
  • Introduce a time out where the number of failed logins is reset.
  • Introduce the mechanism for both users and ip addresses.
  • Users with the Security->"Maximum Failed Login Attempts For User" and Security->"Time (seconds) to Reset Maximum Failed Login Attempts For User" settings.
  • IP Addresses with the Security->"Maximum Failed Login Attempts From IP Address" and Security->"Time (seconds) to Reset Maximum Failed Login Attempts From IP Address" settings.
  • These features by turn on be default with following settings:
  • Security->"Maximum Failed Login Attempts For User" is 20
Retrieved from "https://www.open-emr.org/wiki/index.php?title=Brute_Force_Login_Prevention&oldid=34496"