Hi,
i was wondering how is it possible not to have incorporated a captcha or an other mechanism for brute force attacks on login page.
it doesn’t look secure enough for a remote install on a hosting service other than our intranet, and maybe not even there…
I was comparing it to the overly popular wordpress installs that have numerous ways of blocking unwanted login attempts, banning mechanisms of IP addresses, captcha verifications, login timeouts and general timers to name a few. Does anybody share the same thoughts with me on this?
Has anyone made an effort of looking into this as an issue?
Thanks
Hi @kounelii,
Generally, EMRs aren’t public facing, so the chances of a brute force attack are minimal. OpenEMR is fullly HIPAA compliant, but there’s always more we can be doing to improve security.
The biggest roadblock to new features is having a developer to do the work. If you’d like to work on a captcha system we can get you started on contributing to the community!
hi, sure @robert.down , i would like to try out a few mods on /interface/login/login.php to see how it goes and maybe pass it on to the next patch.
you develop on sourceforge, right?
Good day
I suggest working on Github, we’ve retired a lot of the sourceforge usage. Fork a copy of the repo on GitHub, make your changes on a feature branch and submit a PR.