[TYPO3-core] Remove/Reduce forced delay on failed BE logins

Steffen Müller typo3 at t3node.com
Fri May 10 21:47:31 CEST 2013


On 10.05.2013 21:00 Jigal van Hemert wrote:
> b) In what way does it slow test automation down? Are you testing failed
> logins?

Indeed I do. To verify that a login feature works, I expect a certain
behavior on both successful and unsuccessful logins. How else would you
test that TYPO3 prevents a user with wrong password from authenticating?

> Maybe you can come up with a better alternative that:
> - prevents brute force attacks

Well, this is another topic and not easy to answer. The current solution
does not prevent brute force attacks. It just raises the duration to
successfully finish an attack.
I'd say a built-in TYPO3 solution can't do that without severe side effects.

More information about the TYPO3-team-core mailing list