[TYPO3-core] Remove/Reduce forced delay on failed BE logins
Jigal van Hemert
jigal.van.hemert at typo3.org
Mon May 13 19:52:26 CEST 2013
Hi,
On 13-5-2013 17:14, Philipp Gampe wrote:
> A forced lock of the account after a limited number of wrong attempts is the
> best way to secure it, because you effectively avoid any brute force
> guessing.
> The downside of this approach is of course, that you can DOS a site by
> locking all user accounts.
You just described why this isn't a good method. Lots of organisation
have fixed methods to build usernames from real names. If you find one
or a few usernames you can create large lists from the real names.
Attacking those users will indeed lock them out of the BE.
--
Jigal van Hemert
TYPO3 CMS Active Contributor
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-team-core
mailing list