[TYPO3-core] Remove/Reduce forced delay on failed BE logins

Philipp Gampe philipp.gampe at typo3.org
Tue May 14 00:12:41 CEST 2013

Hi Jigal,

Jigal van Hemert wrote:

> On 13-5-2013 17:14, Philipp Gampe wrote:
>> A forced lock of the account after a limited number of wrong attempts is
>> the best way to secure it, because you effectively avoid any brute force
>> guessing.
>> The downside of this approach is of course, that you can DOS a site by
>> locking all user accounts.
> You just described why this isn't a good method. Lots of organisation
> have fixed methods to build usernames from real names. If you find one
> or a few usernames you can create large lists from the real names.
> Attacking those users will indeed lock them out of the BE.

As said, this is a trade-off between security (force locks) and comfort.

Depending on your security policy, you might find it more acceptable to have 
all users locked than to have your site hacked; even if a hacked via a brute 
force password guess site is very unlikely.

A takedown, analysis and re-enabling all users account is a pretty expensive 
task and you only want to risk doing it multiple times if you have a really 
strict security policy.

However, I know such cases and if your backend is only accessible from the 
internal network, you do not risk many DOS via password attempt overflow, 
thus such policy could make sense.

It really, really depends on your needs.

Philipp Gampe – PGP-Key 0AD96065 – TYPO3 UG Bonn/Köln
Documentation – Active contributor TYPO3 CMS
TYPO3 .... inspiring people to share!

More information about the TYPO3-team-core mailing list