[TYPO3-core] Remove/Reduce forced delay on failed BE logins

Jigal van Hemert jigal.van.hemert at typo3.org
Mon May 13 12:21:46 CEST 2013


On 13-5-2013 9:08, Fabien Udriot wrote:
> I don't understand where is the complication. We are capable of counting the wrong attempts of login
> when sending warning emails, aren't we? So, we should be able to increase linearly the waiting time.

The counting of the wrong attempts is less critical than increasing the 
delay. Meaning: an attacker would like to bypass the delay and isn't 
really interested in the sending of the mails.

How would you reliably count the number of login attempts? The attacker 
can use different user names, clear cookies, manipulate headers, spoof 
IP addresses, ...

The delay for each failed attempt isn't ideal, but at least it's there 
for *any* failed attempt.

Jigal van Hemert
TYPO3 CMS Active Contributor

TYPO3 .... inspiring people to share!
Get involved: typo3.org

More information about the TYPO3-team-core mailing list