[TYPO3-core] Remove/Reduce forced delay on failed BE logins
Jigal van Hemert
jigal.van.hemert at typo3.org
Mon May 13 12:21:46 CEST 2013
Hi,
On 13-5-2013 9:08, Fabien Udriot wrote:
> I don't understand where is the complication. We are capable of counting the wrong attempts of login
> when sending warning emails, aren't we? So, we should be able to increase linearly the waiting time.
The counting of the wrong attempts is less critical than increasing the
delay. Meaning: an attacker would like to bypass the delay and isn't
really interested in the sending of the mails.
How would you reliably count the number of login attempts? The attacker
can use different user names, clear cookies, manipulate headers, spoof
IP addresses, ...
The delay for each failed attempt isn't ideal, but at least it's there
for *any* failed attempt.
--
Jigal van Hemert
TYPO3 CMS Active Contributor
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-team-core
mailing list