aqualord 2 Posted January 3 Posted January 3 Hi, After 15 minutes of looking for the answer I gave up. How many times a user needs to inpunt a wrong password to banned? Is it configurable? I created a new user for that test, I attempted to login with wrong password for about 20 times and even that I saw in the dashboard that the user was blocked I was able to login later... So for how long a user is blocked? Or if it's really blocked?
Luke 42251 Posted January 4 Posted January 4 Hi, for a non-admin user, they are locked out after 10 consecutive unsuccessful attempts. For an admin user it is 5.
aqualord 2 Posted January 4 Author Posted January 4 Thanks @Luke. But for how long it's locked? It seems to be one minute or two... Is it not too short?
Luke 42251 Posted January 4 Posted January 4 11 minutes ago, aqualord said: Thanks @Luke. But for how long it's locked? It seems to be one minute or two... Is it not too short? HI, yes it is very short, for one minute. But that is still enough to make brute force login attempts unrealistic if you have a strong password. Â 1
TMCsw 260 Posted January 5 Posted January 5 For better control... Linux: https://github.com/fail2ban/fail2ban Windows: https://osric.com/chris/accidental-developer/2021/12/ipban-fail2ban-for-windows/ /  https://www.itefix.net/win2ban not sure about this??? 1
aqualord 2 Posted January 5 Author Posted January 5 (edited) Luke, but how can I control if the password is strong if I have at least one user beside of me? Â @TMCswfail2ban is possible to integrate with Emby? For now I just use VPN but if in future I would like to give an access to someone else fail2bam would be great. Anyway 2FA would be the best one. I found already an option with Authelia but it works only for Web... Edited January 5 by aqualord
Luke 42251 Posted January 5 Posted January 5 1 hour ago, aqualord said: Luke, but how can I control if the password is strong if I have at least one user beside of me? Currently you can't, but we can add more options around this. 2
pwhodges 2036 Posted January 5 Posted January 5 8 hours ago, aqualord said: Luke, but how can I control if the password is strong if I have at least one user beside of me? Set their password yourself and untick the property that allows them to change it. Paul 3
rbjtech 5345 Posted January 5 Posted January 5 See - Sadly, Emby still has zero password entropy checking - which in 2026 is beyond poor. If external access is enabled, a decent password should be mandatory - there is really no debate to be had on this - and despite the history of breeches, Emby refuse to implement it. Emby really need to get with the times, even 2FA is old hat now - FIDO2 integration should be on the list for 2026 to show some love to the future of Emby Security.  2
rbjtech 5345 Posted January 5 Posted January 5 9 hours ago, aqualord said: @TMCswfail2ban is possible to integrate with Emby? Yes, but you have to scrape the Emby log for the failed attempts - all doable in fail2ban etc. 2
aqualord 2 Posted January 7 Author Posted January 7 On 05/01/2026 at 13:13, rbjtech said: See - Sadly, Emby still has zero password entropy checking - which in 2026 is beyond poor. If external access is enabled, a decent password should be mandatory - there is really no debate to be had on this - and despite the history of breeches, Emby refuse to implement it. Emby really need to get with the times, even 2FA is old hat now - FIDO2 integration should be on the list for 2026 to show some love to the future of Emby Security.  Yeah, because of this lack of 2FA I'm not sharing Emby without VPN. Lack of 2FA in 2026 is really out of date... But anyway there's same problem on Jellyfin. You can set authelia but it will work only in Web Browser.
rbjtech 5345 Posted January 7 Posted January 7 27 minutes ago, aqualord said: Yeah, because of this lack of 2FA I'm not sharing Emby without VPN. Lack of 2FA in 2026 is really out of date... But anyway there's same problem on Jellyfin. You can set authelia but it will work only in Web Browser. As long as you maintain a good security framework (ie decent password + https etc) and monitor failed login attempts ( I use pushover to get an instant alert on my phone) then personally I don't see 2FA as essential as I've configured Emby so no Admin can be done remotely anyway (via the Emby login).  Â
TMCsw 260 Posted January 8 Posted January 8 12 hours ago, aqualord said: Yeah, because of this lack of 2FA I'm not sharing Emby without VPN. Lack of 2FA in 2026 is really out of date... Kinda agree, but not really, as Emby is not a financial application! Note: There are many other ways to secure your server. Note: out of the box, most web servers offer very little security! I think 2FA/MFA is asking too much of a small software vendor at this time. As many others have said, this is probably way down the road for implementation. But I do think the priority should be the Administrator's right to enforce password strength of their choice (none/low/mid/high/extremely high...). And for sure, plug the existing known holes!! Ie, download images without authorization, etc. 3
rbjtech 5345 Posted January 8 Posted January 8 7 hours ago, TMCsw said: Kinda agree, but not really, as Emby is not a financial application! Note: There are many other ways to secure your server. Note: out of the box, most web servers offer very little security! I think 2FA/MFA is asking too much of a small software vendor at this time. As many others have said, this is probably way down the road for implementation. But I do think the priority should be the Administrator's right to enforce password strength of their choice (none/low/mid/high/extremely high...). And for sure, plug the existing known holes!! Ie, download images without authorization, etc. Agree and I've said this many times - let Emby focus on getting the basics implemented (password entropy enforcement if remote access has been enabled, patching known security vulnerabilities) and once all that is complete, then implement MFA and/or modern Auth.   Also worth remembering that the vast majority of users still use what is offered out the box - http - so any passwords, passphases, keys, emby id's etc are all sent in plain text - so a high entropy password is beyond useless if you can just snoop it anyway ... 3
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now