[TYPO3-core] Remove/Reduce forced delay on failed BE logins

Philipp Gampe philipp.gampe at typo3.org
Sat May 11 22:19:47 CEST 2013

Hi Fabien,

Fabien Udriot wrote:

> I have nothing against that and would even wish this. Related to security,
> could it be made to have this 5 second of delay re-introduced after the
> third (or whatever) wrong attempt of login. This would be a compromise,
> IMO.

This is too complicated IMHO ... they auth process is already very 
You will get a warning email (if you set up an address in the install tool) 
after four unsuccessful attempts anyway.

If you log to syslog (or any other log) with attached monitoring and 
automatic escalation, you can respond appropriate.

It makes much off a different if you can launch 50 or 50.000 attempts per 
second if you have a "human" response time of half an hour.

However this really depends on your needs.

What could be interesting is increment of the time after a delay or an 
automatic lock of the user after x login attempts.
However this should be done in a custom extension.

Best regards
Philipp Gampe – PGP-Key 0AD96065 – TYPO3 UG Bonn/Köln
Documentation – Active contributor TYPO3 CMS
TYPO3 .... inspiring people to share!

More information about the TYPO3-team-core mailing list