auth.user.delay-length-seconds

Background

Set the delay applied to subsequent authentication attempts after the criteria in auth.user.allowed-failures-period-length-seconds and auth.user.allowed-failures-per-period is exceeded. The delay should be a high enough value to make brute force password guessing impractical while not inconveniencing legitimate users.

Please be aware that a web server thread will be kept waiting during the delay in the current implementation, so imposing a long delay risks exhausting all web server threads.

Setting the key

Set this configuration key in the server configuration.

Use the configuration key editor to add or edit the auth.user.delay-length-seconds key, and set the value. This can be set to any valid Integer value.

Default value

Apply no delay to authentication attempts if many login failures are detected.

auth.user.delay-length-seconds=0

Examples

Apply a 5 seconds delay to authentication attempts if many login failures are detected.

auth.user.allowed-failures-per-period=5