[TYPO3-english] Typo3 BE login security

Tonix (Antonio Nati) tonix at interazioni.it
Mon Mar 29 09:54:58 CEST 2010


Pero Matic ha scritto:
> Steffen Müller wrote:
>   
>> Hi.
>>
>> On 25.03.2010 15:36 Tonix (Antonio Nati) wrote:
>>     
>>> I feel disabling temporarily accounts is a great idea, if it is done
>>> in a selective way.
>>>
>>>       
>> Take IP spoofing into account, mobbing of colleagues, ...
>> Blacklisting means much hassle, which can be avoided by good
>> passwords. Brute force on strong >12 character password will probably
>> always fail, especially with the delay we have on false BE logins.
>> IMHO no need for complex blacklisting routines.
>>     
>
> Yes, but 12 character strong passwords ie. *j8j_2^%!-Jh are sience fiction 
> for normal users. Personaly i hate too to enter such crap which i can't 
> remember and i'd hate to force users for such a hasle. I don't see a problem 
> in blocking IP from which came 10 or 20 false logins in one hour or half an 
> hour. 
>   

More, if you are developing a website with strong security needs, you 
must have such "security contrainsts" despite of password lenght.

The login and access phase (mainly FE, while for BE you can apply IP 
filters) could be improved a lot.

Tonino

> ------------------------------------------------------------------------
>
> _______________________________________________
> TYPO3-english mailing list
> TYPO3-english at lists.typo3.org
> http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-english


-- 
------------------------------------------------------------
        Inter at zioni            Interazioni di Antonio Nati 
   http://www.interazioni.it      tonix at interazioni.it           
------------------------------------------------------------



More information about the TYPO3-english mailing list