[TYPO3-core] Remove/Reduce forced delay on failed BE logins

Philipp Gampe philipp.gampe at typo3.org
Mon May 13 17:14:40 CEST 2013

Hi Jigal,

Jigal van Hemert wrote:

> How would you reliably count the number of login attempts? The attacker
> can use different user names, clear cookies, manipulate headers, spoof
> IP addresses, ...

I think he means counting based on the tried user name which would be rather 
simple to implement and does not depend on information about the requester.

> The delay for each failed attempt isn't ideal, but at least it's there
> for *any* failed attempt.

IMHO this should be keep.

I plan to introduce hooks for pre and post login anyway, which would allow 
to simply lock a user after x wrong attempts.
IMHO this is the most simple way.

As this approach would be extensible, I could think about a timed lock as 

e.g. if your login fails for three times within half an hour, then the user 
account is locked (disabled) for an hour, or a day, etc.

A forced lock of the account after a limited number of wrong attempts is the 
best way to secure it, because you effectively avoid any brute force 
The downside of this approach is of course, that you can DOS a site by 
locking all user accounts.

Thus this whole topic really depends on your needs, especially in terms of 
security and reliability (which a quite contrary).

Best regards
Philipp Gampe – PGP-Key 0AD96065 – TYPO3 UG Bonn/Köln
Documentation – Active contributor TYPO3 CMS
TYPO3 .... inspiring people to share!

More information about the TYPO3-team-core mailing list