What is Login brute force vulnerability and how do we prevent it in Smarten?

 

A brute-force attack is when anyone uses a system of trial and error in an attempt to guess / discover user credentials. These attacks are typically automated using wordlists of usernames and passwords.

In any application, if there is no limit provided on entering wrong passwords, this can lead to login bruteforce and considerably increase the efficiency of such attacks. The account can be hacked this way.

 

To overcome such vulnerabilities, in Smarten, we can restrict the number of attempts for login.

MAXIMUM_NO_OF_ATTEMPTS parameter has to be defined in default.conf file under smarten folder (wildfly/standalone/deployments/smarten.war/conf/default.conf).

Please refer to the below article for more details.

https://support.smarten.com/support/solutions/articles/9000200754-password-patterns-and-configurations-in-smarten

 

Also, locking an account offers a certain amount of protection against targeted brute-forcing of a specific account. If the number of wrong password attempts exceeds or if the user enters wrong password more times than the specified value, then the smarten users will be made inactive temporarily for 2 hours as shown below. 

 

For e.g. If the number of wrong attempts to be set as 5, open default.conf file and set the parameter value as ‘MAXIMUM_NO_OF_ATTEMPTS=5’.

 

 

MESSAGE AFTER LOCKING THE ACCOUNT TEMPORARILY

 





Note: This article is based on Smarten Version 5.0. This may or may not be relevant to the Smarten version you may be using.