Redbex Reference Manual - Repeated authentication failure

Zoom Window Out
Larger Text | Smaller Text
Hide Page Header
Show Expanding Text
Printable Version
Save Permalink URL

Navigation: Application Server > Common services > Authentication

Repeated authentication failure

The Application Server can be configured to prevent authentication fraud by systematically guessing usernames and/or passwords. It does this by detecting situations of repeated authentication failure and taking actions that hinder the systematic guessing of username and password. It depends on the configuration of your system weather actions are taken when one of these situations is detected or not. Any action taken on detection of these situations is logged in the system log.

Repeated authentication failure with non existing username

When the system detects more than a configurable number of consecutive login failures with unknown user names the answer to a authentication attempt can be delayed. The delaying is intended as protection against password guessing attacks.

The delay time is calculated by following formula:

delay = FailedAttemptsWithUnknownUserCount - AuthenticationDelayThreshold) * 2

The delay will affect all authentication attempts (from any client). A successful login will reset the counter for failed attempts. A shutdown of the Application Server will also reset the counter for failed attempts.

The number of consecutive failed authentication attempts after which the slow down will occur (AuthenticationDelayThreshold) is configured with the global setting User sessions & security: Authentication slowing threshold.

Repeated authentication failure with the same existing username

When the system detects repeated login failures for the same username and if this username refers to an existing user account the user can be locked after a configurable number of repeated login failures.

The number of consecutive failed authentications for one user after which the user will be locked is configured with the global setting User sessions & security: Authentication locking threshold. If a user is locked he is not able to create a new user session and can therefore not logon to the system. A successful login resets the counter of failed authentications to zero. A shutdown of the Application Server will also reset the counter for failed authentications.

The counters for repeated consecutive login failures (total and for each user) are reset when the Application Server is restarted.