auth.user.delay-length-seconds
Specifies the delay applied to authentication attempts after too many failures.
Key: auth.user.delay-length-seconds
Type: Integer
Can be set in: global.cfg
Description
Set the delay applied to subsequent authentication attempts after the criteria in auth.user.allowed-failures-period-length-seconds and auth.user.allowed-failures-per-period is exceeded. The delay should be a high enough value to make brute force password guessing impractical while not inconveniencing legitimate users.
Please be aware that a web server thread will be kept waiting during the delay in the current implementation, so imposing a long delay risks exhausting all web server threads.
Default Value
Apply no delay to authentication attempts if many login failures are detected.
auth.user.delay-length-seconds=0
Examples
Apply a 5 second delay to authentication attempts if many login failures are detected.
auth.user.allowed-failures-per-period=5