Paths

Table of Contentst

Differential D18906

Add a rate limit for guessing old passwords when changing passwords
ClosedPublic
Actions

Authored by epriestley on Jan 22 2018, 1:52 AM.

Tags

None

Referenced Files

	Unknown Object (File)
	Thu, Nov 21, 9:40 AM

	Unknown Object (File)
	Sun, Nov 17, 6:02 PM

	Unknown Object (File)
	Fri, Nov 15, 6:58 AM

	Unknown Object (File)
	Sun, Nov 10, 11:43 AM

	Unknown Object (File)
	Wed, Nov 6, 6:56 AM

	Unknown Object (File)
	Oct 13 2024, 11:53 PM

	Unknown Object (File)
	Oct 7 2024, 10:35 AM

	Unknown Object (File)
	Sep 21 2024, 11:35 AM

Subscribers

None

Details

Reviewers

Maniphest Tasks

T13043: Improve authentication revocation behaviors

Commits

rP026ec11b9d6b: Add a rate limit for guessing old passwords when changing passwords

Summary

Depends on D18904. Ref T13043. If an attacker compromises a victim's session and bypasses their MFA, they can try to guess the user's current account password by making repeated requests to change it: if they guess the right "Old Password", they get a different error than if they don't.

I don't think this is really a very serious concern (the attacker already got a session and MFA, if configured, somehow; many installs don't use passwords anyway) but we get occasional reports about it from HackerOne. Technically, it's better policy to rate limit it, and this should reduce the reports we receive.

Test Plan

Tried to change password over and over again, eventually got rated limited. Used bin/auth unlimit to clear the limit, changed password normally without issues.

Diff Detail

Repository

Branch

revoke16

Lint

Lint Passed

Unit

Tests Passed

Build Status

Buildable 19109
Build 25798: Run Core Tests
Build 25797: arc lint + arc unit

Event Timeline

epriestley created this revision.Jan 22 2018, 1:52 AM

Harbormaster completed remote builds in B19109: Diff 45322.Jan 22 2018, 1:53 AM

epriestley requested review of this revision.Jan 22 2018, 1:53 AM

epriestley added a child revision: D18907: When administrators revoke SSH keys, don't include a "security warning" in the mail.Jan 22 2018, 1:59 AM

amckinley accepted this revision.Jan 23 2018, 7:50 PM

This revision is now accepted and ready to land.Jan 23 2018, 7:50 PM

Closed by commit rP026ec11b9d6b: Add a rate limit for guessing old passwords when changing passwords (authored by epriestley). · Explain WhyJan 23 2018, 9:46 PM

This revision was automatically updated to reflect the committed changes.

epriestley mentioned this in T13043: Improve authentication revocation behaviors.Jan 23 2018, 11:43 PM

Revision Contents
Changeset List

Path

Size

src/

__phutil_library_map__.php

2 lines

applications/

auth/

action/

PhabricatorAuthChangePasswordAction.php

22 lines

settings/

panel/

PhabricatorPasswordSettingsPanel.php

26 lines

Diff 45322

src/__phutil_library_map__.php

Loading...

src/applications/auth/action/PhabricatorAuthChangePasswordAction.php

Loading...

src/applications/settings/panel/PhabricatorPasswordSettingsPanel.php

Loading...