On 7 Aug 2017, at 16:39, teor teor2345@gmail.com wrote:
How should we set up trac regarding brute-forcing? Are there other possibilities I missed? I'd love to hear your feedback on this.
Use a compromised passwords list as a way of rejecting easily guessed passwords:
https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-p...
Require the trac replacement to support 2FA.
Enforce a minimum password length. (Any other requirements are counter-productive, as machines aren't good at guessing entropy.)
Use an exponentially-increasing timeout for the next login every time a login fails for a user. (Some sites do it for failed logins per IP address, too, but that's silly, because open proxies.) This is equivalent to an automatically-resetting lockout, but requires the attacker to spend as much time as the lockout time setting it up.
Use some other kind of credential rather than a password. (I'd find this inconvenient, because my other credentials are hard to attach to some of the machines I use trac on.)
T
-- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------