Limit logins on satellite

This?

I made a couple of test logins with wrong credentials. As a result it seems that the account got locked. This process does not seem to be well thought:

  1. There is no description for the valid account holder how to unlock the account. Waiting is not a good approach for the true account holder.
  2. It seems that I would be able to lock any account if I know the email address of the account holder. Simply by doing some false login attempts.
  1. I was able to do many login attempts in a row
  2. I did not receive a warning, thinking of it, it might be this: 2 different errors on US2
    Maybe the error Unexpected toke T in JSON at position 0 should have been the warning or the lockout message? I don’t know.

My suggestions would be:

  1. Impose an increasing waiting time between wrong logins
  2. Have a process in place for the valid account holder to unlock his account
  3. Display the description to unlock / remaining waiting time
  4. Don’t allow an adversary to impose a lock onto an account just because he knows the email address of a user

There is an additional idea that I know from Lastpass and which is very useful. As a Lastpass user I can restrict login to specific IPs/Regions. And - very useful - I can disallow Logins that come from the Tor network. Maybe such an implementation would be interesting to secure Storj accounts further.

1 Like