[TYPO3-core] Remove/Reduce forced delay on failed BE logins

[Fabien Udriot]

>> I have nothing against that and would even wish this. Related to security,
>> could it be made to have this 5 second of delay re-introduced after the
>> third (or whatever) wrong attempt of login. This would be a compromise,
>> IMO.
> 
> This is too complicated IMHO ... they auth process is already very 
> complicated.

I don't understand where is the complication. We are capable of counting the wrong attempts of login
when sending warning emails, aren't we? So, we should be able to increase linearly the waiting time.

Pseudo code to give the idea:

$interval = 5
$delayInSecond = 3
sleep(floor($numberOfWrongLogin / $interval) * $delayInSecond)

-> from 1 to 5 wrong login you will have 0 delay
-> from 6 to 10: 3 seconds of delay
-> from 11 to 15: 6 seconds of delay
-> ...

Where is the devil hiding?
Perhaps, because I didn't have a precise look into the source code ;)

All the best,

Fb.

> You will get a warning email (if you set up an address in the install tool) 
> after four unsuccessful attempts anyway.
> 
> If you log to syslog (or any other log) with attached monitoring and 
> automatic escalation, you can respond appropriate.
> 
> It makes much off a different if you can launch 50 or 50.000 attempts per 
> second if you have a "human" response time of half an hour.
> 
> 
> However this really depends on your needs.
> 
> 
> What could be interesting is increment of the time after a delay or an 
> automatic lock of the user after x login attempts.
> However this should be done in a custom extension.
> 
> Best regards
>