AnsweredAssumed Answered

Password Attempt Account Lockout for "Change CA Single Sign-On User Password"

Question asked by mr.david.dixon on Sep 19, 2018
Latest reply on Dec 10, 2018 by Stephen_Hughes

Maybe I'm missing something, but it appears like if you expose this new assertion as part of a service for a change password process on your front end, that you could potentially be allowing for brute force attempts against your accounts.  Any "bad" attempt at the old password should count against the "failed attempts" on the account, however, this assertion does not do that, nor does it lock/disable the account like it should.  Further, it appears that it is evaluating the contents of the new password first.  This means there is yet another way of brute forcing this assertion by brute forcing against the new password until "this is too similar to the current/old password" is received.  

 

Can someone tell me if I'm misunderstanding something? We want to use this, but as it stands, it opens us up to automated brute force attacks.

 

Thanks,

Dave

Outcomes