Skip to main content

Limit login attempts (1st iteration)

Description

Anyone can pound our server with username + passwords until they guess the correct password for a user. We should be limiting the number of attempts to 5 and then freezing and emailing users with an unfreeze + password reset link.

See the following:

https://github.com/plataformatec/devise/wiki/How-To:-Add-:lockable-to-Users \ https://github.com/plataformatec/devise/blob/master/lib/devise/models/recoverable.rb

Also should enforce a limit to make sure passwords are secure for admin users

https://github.com/plataformatec/devise/wiki/How-To:-Set-up-simple-password-complexity-requirements

For password validation:

Please use this regex, taken from here, for admins:

"^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{12,}$"

This will enforce the next rules:

  • At least one upper case English letter
  • At least one lower case English letter
  • At least one digit
  • At least one special character
  • Minimum 12 in length

Freezing

Scenario:

GIVEN the user attempts to log in with no success, on any of the two login page (both they share one design so further I’m going to address them as one) \ WHEN after fifths unsuccessful attempt, \ THEN replace the message on the disclaimer

alt_text

Invalid username or password. Please try again.

with

Oops!


We temporarily block your account due to too many failed login attempts.  \

Please check your email to unblock your account (click here1 to resend confirmation email).

Emilie’s proposal:

Oh no! Your account is blocked after too many failed attempts.

To unblock your account, check your email for instructions. (Click here to resend the email).

AND send next email to the user:

Hi {#username},


Someone, probably you, is having trouble logging into[ POWr.io](http://powr.io/).


We have blocked your account after too many unsuccessful login attempts..


If you remember your username and password, please use this link **to log in and unblock your account**:


[https://powr.io/unlock/of8ubso4ufbo8ubsfo8u%user48238u4834ur84hifh4nnfn8ofuo84ufou](https://powr.io/reset-password/of8ubso4ufbo8ubsfo8u%user48238u4834ur84hifh4nnfn8ofuo84ufou)


If you need to, please use this link **to reset your password**:


[https://powr.io/reset-password/of8ubso4ufbo8ubsfo8u%user48238u4834ur84hifh4nnfn8ofuo84ufou](https://powr.io/reset-password/of8ubso4ufbo8ubsfo8u%user48238u4834ur84hifh4nnfn8ofuo84ufou)


If you didn't attempt to log in - simply forward this email to [email protected] and we will do everything to keep your data safe.


Thanks,


The[ POWr.io](http://powr.io/) Team

Email

Scenario 1:

GIVEN user received a letter after freezing of his account \ WHEN user clicks unfreeze link \ THEN password reset link must be immediately deactivated \ AND user lands on a login page with disclaimer on a top:

Your account has been unlocked. Please log in to continue.

U

Scenario 2:

GIVEN user received a letter after freezing of his account \ WHEN user clicks password reset link \ THEN unfreezing must be immediately deactivated \ AND user existing password reset page2 at the stage of setting a new password for the account \ AFTER a** **new password is set the user's account must be set to unfrozen state

Scenario 3:

GIVEN user received a letter after freezing of his account and waited too long \ WHEN user clicks password reset or account unlock link \ THEN he catches a message: 

Dear #{username},  \

Your account lock time expired already, if you forget your password please click here to receive an updated password reset link.

\ AND when user pressed a link then existing password reset email must be sent

Notes

  1. where click here triggers resending of the confirmation email
  2. link is given as a sample, surely there must be the newly generated link for this particular user whose account is frozen