fix(security): throttle failed student password reset answer attempts#324
fix(security): throttle failed student password reset answer attempts#324Isaries wants to merge 2 commits into
Conversation
The student password reset compared the security answer in plain text with no attempt limit, so the low-entropy answer could be brute forced to take over any student account. The change endpoint had neither a limit nor a captcha, unlike the teacher flow which locks out after repeated failures. Lock the reset after too many failed answer attempts within a short window, for both the answer check and the password change endpoints, matching the teacher flow. The counter reuses the existing failed password reset verification fields, so no schema change is needed.
|
Paired client change: WISE-Community/WISE-Client#2325 |
Aaron-Detre
left a comment
There was a problem hiding this comment.
I made one minor suggestion, but the feature works as described, and the code looks good.
…dent/StudentForgotAccountAPIController.java Co-authored-by: Aaron Detre <aarondetre@gmail.com>
|
Thanks for the review @Aaron-Detre. I have applied your suggestion for Two notes on the design, for the record:
Paired client change: WISE-Community/WISE-Client#2325 |
Summary
The student password reset compared the security answer in plain text with no limit on attempts. Because these answers are low entropy, an attacker could brute force the answer and take over a student account. This adds throttling that matches the approach the teacher password reset flow already uses.
Changes
Paired change
This is paired with a WISE-Client change (branch
fix/student-reset-throttle) that displays a message for the new throttling response code.Testing
mvnw package).