[TYPO3-core] Remove/Reduce forced delay on failed BE logins

Jigal van Hemert jigal.van.hemert at typo3.org
Mon May 13 19:52:26 CEST 2013


On 13-5-2013 17:14, Philipp Gampe wrote:
> A forced lock of the account after a limited number of wrong attempts is the
> best way to secure it, because you effectively avoid any brute force
> guessing.
> The downside of this approach is of course, that you can DOS a site by
> locking all user accounts.

You just described why this isn't a good method. Lots of organisation 
have fixed methods to build usernames from real names. If you find one 
or a few usernames you can create large lists from the real names. 
Attacking those users will indeed lock them out of the BE.

Jigal van Hemert
TYPO3 CMS Active Contributor

TYPO3 .... inspiring people to share!
Get involved: typo3.org

More information about the TYPO3-team-core mailing list