[TYPO3-core] Remove/Reduce forced delay on failed BE logins
Philipp Gampe
philipp.gampe at typo3.org
Tue May 14 00:12:41 CEST 2013
Hi Jigal,
Jigal van Hemert wrote:
> On 13-5-2013 17:14, Philipp Gampe wrote:
>> A forced lock of the account after a limited number of wrong attempts is
>> the best way to secure it, because you effectively avoid any brute force
>> guessing.
>> The downside of this approach is of course, that you can DOS a site by
>> locking all user accounts.
>
> You just described why this isn't a good method. Lots of organisation
> have fixed methods to build usernames from real names. If you find one
> or a few usernames you can create large lists from the real names.
> Attacking those users will indeed lock them out of the BE.
As said, this is a trade-off between security (force locks) and comfort.
Depending on your security policy, you might find it more acceptable to have
all users locked than to have your site hacked; even if a hacked via a brute
force password guess site is very unlikely.
A takedown, analysis and re-enabling all users account is a pretty expensive
task and you only want to risk doing it multiple times if you have a really
strict security policy.
However, I know such cases and if your backend is only accessible from the
internal network, you do not risk many DOS via password attempt overflow,
thus such policy could make sense.
It really, really depends on your needs.
Cheers
--
Philipp Gampe – PGP-Key 0AD96065 – TYPO3 UG Bonn/Köln
Documentation – Active contributor TYPO3 CMS
TYPO3 .... inspiring people to share!
More information about the TYPO3-team-core
mailing list