[TYPO3-core] Remove/Reduce forced delay on failed BE logins
Philipp Gampe
philipp.gampe at typo3.org
Mon May 13 17:14:40 CEST 2013
Hi Jigal,
Jigal van Hemert wrote:
> How would you reliably count the number of login attempts? The attacker
> can use different user names, clear cookies, manipulate headers, spoof
> IP addresses, ...
I think he means counting based on the tried user name which would be rather
simple to implement and does not depend on information about the requester.
> The delay for each failed attempt isn't ideal, but at least it's there
> for *any* failed attempt.
IMHO this should be keep.
I plan to introduce hooks for pre and post login anyway, which would allow
to simply lock a user after x wrong attempts.
IMHO this is the most simple way.
As this approach would be extensible, I could think about a timed lock as
well:
e.g. if your login fails for three times within half an hour, then the user
account is locked (disabled) for an hour, or a day, etc.
A forced lock of the account after a limited number of wrong attempts is the
best way to secure it, because you effectively avoid any brute force
guessing.
The downside of this approach is of course, that you can DOS a site by
locking all user accounts.
Thus this whole topic really depends on your needs, especially in terms of
security and reliability (which a quite contrary).
Best regards
--
Philipp Gampe – PGP-Key 0AD96065 – TYPO3 UG Bonn/Köln
Documentation – Active contributor TYPO3 CMS
TYPO3 .... inspiring people to share!
More information about the TYPO3-team-core
mailing list