[TYPO3-core] Remove/Reduce forced delay on failed BE logins
Jigal van Hemert
jigal.van.hemert at typo3.org
Fri May 10 21:00:37 CEST 2013
Hi,
On 10-5-2013 17:12, Steffen Müller wrote:
> There is a delay of 5 seconds when the BE login fails.
[...]
> I'd like to get rid of that or reduce the number of seconds, because
> a) IMHO waiting 5 seconds reduces usability
> b) Test automation heavily slows down.
>
> I know it is meant to slow down brute force attacks, but one could still
> drive multiple attempts in parallel.
Reducing security just like that is not an option for me.
a) the waiting period for a successful login and a failed login is
roughly the same (perception). If you enter the correct login usability
is no problem.
b) In what way does it slow test automation down? Are you testing failed
logins?
> What's your opinion?
Maybe you can come up with a better alternative that:
- prevents brute force attacks
- cannot be circumvented
--
Jigal van Hemert
TYPO3 CMS Core Team member
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-team-core
mailing list