[prev in list] [next in list] [prev in thread] [next in thread]
List: forgerock-opendj
Subject: Re: [Opendj] Expired password / Invalid credential
From: Nicolas Labrot <Nicolas.Labrot () victorbuckservices ! com>
Date: 2014-04-18 11:11:46
Message-ID: 4796C5A73CEBCD44A2A0ABE0DFF0995F7CBC58BC () CAP-MAILBX02 ! ivb ! victor-buck ! com
[Download RAW message or body]
Hi Jim,
I think both can coexist.
invalid password and usable account : Exception with ResultCode=INVALID_CREDENTIAL
invalid password and not usable account : Exception with \
ResultCode=INVALID_CREDENTIAL with PasswordPolicyErrorType=PASSWORD_EXPIRED valid \
password and not usable account : Exception with ResultCode=<A NEW CODE> (maybe \
AUTHORIZATION_DENIED ?) with PasswordPolicyErrorType=PASSWORD_EXPIRED
I have create the following JIRA \
https://bugster.forgerock.org/jira/browse/OPENDJ-1443
-----Original Message-----
From: opendj-bounces@forgerock.org [mailto:opendj-bounces@forgerock.org] On Behalf Of \
Jim Klimov
Sent: Friday, April 18, 2014 9:12 AM
To: OpenDJ discussion list
Subject: Re: [Opendj] Expired password / Invalid credential
16 апреля 2014 г. 18:57:36 CEST, Matthew Swift <matthew.swift@forgerock.com> \
пишет:
> Hi Nicolas,
>
> I personally agree with you that the behavior is surprising. I think
> that it would be better to return the expiration error only if the user
> provided the correct, albeit expired, password.
>
Well, i find both approaches rational for their usecases, based on usability vs. \
security by obscurity. If a change in logic will be ultimately implemented, i think \
it should be a config flag, with the default being the current behavior (least \
surprise policy).
Hth,
//Jim
> Matt
>
>
>
> On Wed, Apr 16, 2014 at 3:40 PM, Nicolas Labrot <
> Nicolas.Labrot@victorbuckservices.com> wrote:
>
> > Hi Ludovic,
> >
> > OpenDJ 2.6.0
> >
> > > If a password has expired, the OpenDJ server will not check the
> password
> > and reject immediately. Otherwise it could be used to brute force
> attack
> > expired passwords :
> > > a malicious users receiving the expired password message would know
> that
> > both the user and the password are valid, even though expired.
> >
> > Your statement is even valid for not expired password: if the auth is
> > successful, the attacker would know that the password is valid. Btw,
> a
> > password is less likely to be discovered than a username. Especialy
> then
> > the username is an email. Too many authentications attemp can be
> protected
> > with account locking or captcha.
> >
> > For B2C, even if the accound is locked, the password expired or
> reseted I
> > try to do not disclosed the validity of the username and follow this
> flow
> > "username/password => auth ok => check account usability"
> >
> >
> >
> > Nicolas
> >
> >
> >
> > -----Original Message-----
> > From: opendj-bounces@forgerock.org
> [mailto:opendj-bounces@forgerock.org]
> > On Behalf Of Ludovic Poitou
> > Sent: Wednesday, April 16, 2014 3:00 PM
> > To: OpenDJ discussion list
> > Subject: Re: [Opendj] Expired password / Invalid credential
> >
> > Hi Nicolas,
> >
> > I think the behaviour is intended, but can you confirm which version
> of
> > OpenDJ ?
> >
> > While I agree that authentication error should disclose minimal
> > information to the client, but knowing that password is expired is
> > important to allow redirection to the password self management tools.
> > If there's no indication at all, the client has no idea on what to
> do.
> >
> > If a password has expired, the OpenDJ server will not check the
> password
> > and reject immediately. Otherwise it could be used to brute force
> attack
> > expired passwords : a malicious users receiving the expired password
> > message would know that both the user and the password are valid,
> even
> > though expired.
> >
> > Regards,
> >
> > Ludovic
> >
> >
> > On Wed, Apr 16, 2014 at 2:40 PM, Nicolas Labrot <
> > Nicolas.Labrot@victorbuckservices.com> wrote:
> > > Hello,
> > >
> > >
> > >
> > > When a password is expired a bind return "invalid credential:
> > > expired" even if the password is not correct. By consequence I'm
> not
> > > able to define if the authentication request is well-founded or if
> it
> > > is a malicious one. User will always been redirected to the change
> > > password page and malicious user will know that this username
> exist.
> > >
> > >
> > >
> > > Do I miss something?
> > >
> > >
> > >
> > > Thanks!
> > >
> > >
> > >
> > > Nicolas
> > >
> > >
> > > _______________________________________________
> > > OpenDJ mailing list
> > > OpenDJ@forgerock.org
> > > https://lists.forgerock.org/mailman/listinfo/opendj
> > >
> > _______________________________________________
> > OpenDJ mailing list
> > OpenDJ@forgerock.org
> > https://lists.forgerock.org/mailman/listinfo/opendj
> > _______________________________________________
> > OpenDJ mailing list
> > OpenDJ@forgerock.org
> > https://lists.forgerock.org/mailman/listinfo/opendj
> >
>
>
> -----------------------------------------------------------------------
> -
>
> _______________________________________________
> OpenDJ mailing list
> OpenDJ@forgerock.org
> https://lists.forgerock.org/mailman/listinfo/opendj
--
Typos courtesy of K-9 Mail on my Samsung Android \
_______________________________________________ OpenDJ mailing list
OpenDJ@forgerock.org
https://lists.forgerock.org/mailman/listinfo/opendj
_______________________________________________
OpenDJ mailing list
OpenDJ@forgerock.org
https://lists.forgerock.org/mailman/listinfo/opendj
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic