[Users] Zimbra Captcha

[David Sommerseth]

On 03/08/18 18:18, Deniz Kutluer wrote:
> Hello Everyone,
> 
> 
> I try to integrate google captcha to zimbra’s login screen.
> Is there anybody who try to integrate google captcha (or other captcha tools)
> to zimbra? Or any idea for this subject?
> 

I'd rather recommend implementing something based on OTP instead.  I just
recently tried that out with Zimbra 8 against FreeIPA using LDAP
authentication.  That worked out-of-the-box for all accounts with OTP
enforced.  Users just need to type their password and then add the OTP code
right after it in the same password field.

For IMAP/SMTP accounts, this can be tedious though.  So you can have a
fallback password with a much more "insane" password (for example, 32
characters gives you 256 bits of entropy).  And then let IMAP/SMTP users use
that password.  Beef this up to 48-96 characters and you most likely don't
need to worry to much about too frequent password rotations (2-3 years
password lifetime with 48 chars is probably more than good enough).  Or you
can deploy Kerberos/GSSAPI in parallel with LDAP, but this might not be
practical on some devices.

I'm also using Zextras with a separate Active Sync password (managed by
Zextras Mobile) which covers those users easily as well.  That password is
also only valid for Active Sync.

The reason for OTP over captcha is that OTP actually increases the security of
the Zimbra accounts while captcha is more or less just annoying and only fends
of lots of automated bruteforce attacks.  If a Zimbra account has a weak
password a captcha will not protect the account while an OTP code will make
bruteforce attacks much harder.


Just my 2 cents.


-- 
kind regards,

David Sommerseth

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20180804/f9d1c42c/attachment.sig>