[TYPO3-english] Typo3 BE login security
Tonix (Antonio Nati)
tonix at interazioni.it
Thu Mar 25 15:36:37 CET 2010
I feel disabling temporarily accounts is a great idea, if it is done in
a selective way.
Example: after 5 wrong logins
* disable for a few minutes the attacking IP (only against the
attacked account)
* if there is a mass attack to one account, disable that account
from all IP for a few minutes
* if there is a mass attack from one ip to different accounts,
disable that IP for a few minutes for any login
* make a whitelist for IP/accounts with wider limits or which must
no be disabled at all.
It should be implemented in FE logins too.
Tonino
Steffen Müller ha scritto:
> Hi.
>
> On 24.03.2010 22:46 Pero Matic wrote:
>> IPs. I found nice extension that can disable account after n wrong
>> u/p attempts,
>
> Bad idea, it opens the doors for DOS attacks.
>
> If you can't filter by IP, using SSL/rsa auth and strong passwords is
> a good solution.
> IMHO there's an extension which helps you to force usage of strong
> passwords: be_secure_pw (untested)
> http://typo3.org/documentation/document-library/extension-manuals/be_secure_pw/0.2.0/view/
>
> Although this could be improved, e.g. filtering against wordbooks.
>
> Password lenght is very important. I suggest >12 chars
>
--
------------------------------------------------------------
Inter at zioni Interazioni di Antonio Nati
http://www.interazioni.it tonix at interazioni.it
------------------------------------------------------------
More information about the TYPO3-english
mailing list