Paths

Table of Contentst

Differential D18906

Add a rate limit for guessing old passwords when changing passwords
ClosedPublic
Actions

Authored by epriestley on Jan 22 2018, 1:52 AM.

Tags

None

Referenced Files

	F13196289: D18906.diff
	Sun, May 12, 11:09 PM

	F13179783: D18906.id45367.diff
	Wed, May 8, 9:26 PM

	F13174812: D18906.id45322.diff
	Wed, May 8, 1:19 AM

	Unknown Object (File)
	Fri, May 3, 4:12 AM

	Unknown Object (File)
	Wed, May 1, 12:14 PM

	Unknown Object (File)
	Mon, Apr 29, 4:09 PM

	Unknown Object (File)
	Thu, Apr 25, 12:02 AM

	Unknown Object (File)
	Fri, Apr 19, 7:07 PM

View All 60 Files

Subscribers

None

Details

Reviewers

Maniphest Tasks

T13043: Improve authentication revocation behaviors

Commits

rP026ec11b9d6b: Add a rate limit for guessing old passwords when changing passwords

Summary

Depends on D18904. Ref T13043. If an attacker compromises a victim's session and bypasses their MFA, they can try to guess the user's current account password by making repeated requests to change it: if they guess the right "Old Password", they get a different error than if they don't.

I don't think this is really a very serious concern (the attacker already got a session and MFA, if configured, somehow; many installs don't use passwords anyway) but we get occasional reports about it from HackerOne. Technically, it's better policy to rate limit it, and this should reduce the reports we receive.

Test Plan

Tried to change password over and over again, eventually got rated limited. Used bin/auth unlimit to clear the limit, changed password normally without issues.

Diff Detail

Repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

epriestley created this revision.Jan 22 2018, 1:52 AM

Harbormaster completed remote builds in B19109: Diff 45322.Jan 22 2018, 1:53 AM

epriestley requested review of this revision.Jan 22 2018, 1:53 AM

epriestley added a child revision: D18907: When administrators revoke SSH keys, don't include a "security warning" in the mail.Jan 22 2018, 1:59 AM

amckinley accepted this revision.Jan 23 2018, 7:50 PM

This revision is now accepted and ready to land.Jan 23 2018, 7:50 PM

Closed by commit rP026ec11b9d6b: Add a rate limit for guessing old passwords when changing passwords (authored by epriestley). · Explain WhyJan 23 2018, 9:46 PM

This revision was automatically updated to reflect the committed changes.

epriestley mentioned this in T13043: Improve authentication revocation behaviors.Jan 23 2018, 11:43 PM

Revision Contents
Changeset List

Path

Size

src/

__phutil_library_map__.php

2 lines

applications/

auth/

action/

PhabricatorAuthChangePasswordAction.php

22 lines

settings/

panel/

PhabricatorPasswordSettingsPanel.php

26 lines

Diff 45367

src/__phutil_library_map__.php

Loading...

src/applications/auth/action/PhabricatorAuthChangePasswordAction.php

Loading...

src/applications/settings/panel/PhabricatorPasswordSettingsPanel.php

Loading...