*Use a table of contents for longer articles.
Self Service Summary
The security team is reporting an insufficient rate limiting on the Dynatrace Managed user login page, which allowed multiple password attempts and potential brute-force attacks.
| Issue |
Solution |
Tasks |
Alternatives |
| The user login page requires a username and a password for login. After three failed attempts, the system enforces a one-minute delay, allowing approximately 180 attempts per hour. |
Dynatrace Managed enforces strong password complexity rules, making brute-force attacks highly impractical. - See below for more information.
|
Enforce strong password policies and follow best practices. |
Consider integrating SSO and leveraging the additional security offered by the Identity Provider. |
Explanation
Dynatrace Managed enforces strong security measures to protect user authentication. Dynatrace has implemented password complexity rules that require a combination of uppercase, lowercase, digits, and special characters. These measures significantly reduce the feasibility of brute-force attacks.
Based on these rules, even without additional rate-limiting mechanisms, it would take an estimated 200 years to successfully brute-force a password with a minimum requirement.
For more details, refer to the official documentation:
Password Complexity Rules
Recommendations
- Share the official documentation with your security team to confirm compliance with best practices.
- Ensure that all users follow the enforced password complexity requirements.
- Regularly review and rotate passwords as part of your organization’s security policy.
- Consider integrating SSO for additional security from the Identity Provider.
- If additional security features are desired, such as CAPTCHA or progressive delays, submit a product idea:
Dynatrace Product Ideas
