Community

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
awilliams
Instructure
Instructure

Does anyone know how Canvas handles brute-forcing?

Jump to solution

I'm in a bit of a security mindset atm (see my latest idea post ​) and I realized I actually have no idea how Canvas handles brute-forcing. Does anyone know this by chance? Is there a scaling delay on consecutive login attempts or an eventual lock-out point?

1 Solution

Accepted Solutions
scottdennis
Community Team
Community Team

Hi Adam,

Please discuss this with your CSM.  They can put you in touch with the right people to discuss this further.  For most of the time that I have worked for Instructure I have been located within close proximity to our support folks and I hear them discussing this issues with customers and people evaluating Canvas all the time.  What I would strongly advise you or anyone else reading this to please not do is subject production Canvas to brute force or denial attacks just to test the system.  If you are interesting in doing that kind of testing we have ways to help you learn more without you trying to take the system down.

View solution in original post

8 Replies
scottdennis
Community Team
Community Team

Hi Adam,

Please discuss this with your CSM.  They can put you in touch with the right people to discuss this further.  For most of the time that I have worked for Instructure I have been located within close proximity to our support folks and I hear them discussing this issues with customers and people evaluating Canvas all the time.  What I would strongly advise you or anyone else reading this to please not do is subject production Canvas to brute force or denial attacks just to test the system.  If you are interesting in doing that kind of testing we have ways to help you learn more without you trying to take the system down.

Thanks  @scottdennis ​. I will ask during our next phone call. That is indeed a good point you mention about not taking it on our own to try and find out.​

Hey Adam,

One other thought; every institutionally identified Canvas admin should now have access to the known issues space - great place for similar conversation.

Interesting. I would not have thought to mention it there. I will keep this in mind for the future but for now your answer makes perfect sense. I can understand the desire to keep certain security details private between CSM and Admin but how would you feel about me reporting back what I find out from my CSM after our conversation next Friday to this group for others to benefit from? (PS. We love  @ndittemore ​ )

Hey awilliams

 @ndittemore ​ is awesome.  You are in good hands there.

I like the idea of you reporting back here to the general community on what ultimately proved the best route to get the kind of information you are looking for.  As you know we take security​ seriously.  If in your testing of Canvas you uncover what you consider to be a vulnerability please report it to security@instructure.com rather than posting it here.

Thanks

 @scottdennis  - how do we access the "known issues" space?

Thanks!

Hey  @millerjm ​, you can go to Browse->Places, and then type in "top" or you can type in "Top Known" in the search bar.

Screen Shot 2015-05-14 at 7.41.28 AM.png Screen Shot 2015-05-14 at 7.41.55 AM.png

or

Screen Shot 2015-05-14 at 7.42.28 AM.png

Hi Joni,

If you are not seeing the group via the method awilliams​ helpfully suggested, please notify your CSM.  It should be visible to all institutional admins.