CWE-307
Improper Restriction of Excessive Authentication Attempts
AI Translation Available
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Status
draft
Abstraction
base
Affected Platforms
Technical Details
AI Translation
Common Consequences
access control
Impacts
bypass protection mechanism
Detection Methods
dynamic analysis with automated results interpretation
dynamic analysis with manual results interpretation
manual static analysis - source code
automated static analysis - source code
automated static analysis
architecture or design review
Potential Mitigations
Phases:
architecture and design
Descriptions:
•
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
•
Common protection mechanisms include:
- Disconnecting the user after a small number of failed attempts
- Implementing a timeout
- Locking out a targeted account
- Requiring a computational task on the user's part.