[TYPO3-core] Remove/Reduce forced delay on failed BE logins
Fabien Udriot
fabien.udriot at ecodev.ch
Fri May 10 19:17:07 CEST 2013
Hi Steffen,
I have nothing against that and would even wish this. Related to security, could it be made to have
this 5 second of delay re-introduced after the third (or whatever) wrong attempt of login. This
would be a compromise, IMO.
Fb.
On 5/10/13 5:12 PM, Steffen Müller wrote:
> Hi.
>
> There is a delay of 5 seconds when the BE login fails.
>
> LoginController::checkRedirect()
> ...
> sleep(5);
> ...
>
> http://forge.typo3.org/projects/typo3v4-core/repository/revisions/master/entry/typo3/sysext/backend/Classes/Controller/LoginController.php#L417
>
> I'd like to get rid of that or reduce the number of seconds, because
> a) IMHO waiting 5 seconds reduces usability
> b) Test automation heavily slows down.
>
> I know it is meant to slow down brute force attacks, but one could still
> drive multiple attempts in parallel.
>
> What's your opinion?
> What do you think about the trade-off between security and
> usability/testability?
>
>
More information about the TYPO3-team-core
mailing list