protection against Brute force

Hi everyone,

I am referring to this link https://success.outsystems.com/Documentation/11/Managing_the_Applications_Lifecycle/Secure_the_Applications/Protection_against_Brute_Force_Attacks

So I have set my site properties to :

I wanted to achieve a scenario where a user should be locked(2nd backoff should be triggered) for 60 minutes if he puts his password wrong at the 5th attempt itself.

But I am facing an unusual issue like the Ip is being blocked sometimes and sometimes the second attempt lock is not happening. Please help me out with the correct values for the site properties in order to achieve the lockout(2nd backoff should be triggered) for 60 minutes, if the user puts his password wrong the fifth time.

Note: The first backoff should be counted in the total of the second backoff.

Thanks & Regards,

Shivya Pant

Hi Shivya,

You can see this post:

Cheers,
Nuno Verdasca



In SP IPAttemptsSecondBackoffDelayInSeconds you just have 300. But do you want 60min, right?

If IP-level blocking is not a requirement, and you're concerned it might be affecting the username-level blocking, you can try disabling this setting:

  • EnableBruteForceProtectionPerIP: False


The remaining values are OK for your requirements:

  • EnableBruteForceProtection: True
  • MaxUsernameAttemptsFirstBackoff: 3
  • MaxUsernameAttemptsSecondBackoff: 5
  • UsernameAttemptsFirstBackoffDelayInSeconds: 5
  • UsernameAttemptsSecondBackoffDelayInSeconds: 3600
  • InvalidLoginCheckWindowInMinutes: 60


If the problem persists, I would contact OutSystems Support.