On Tue, 8 Aug 2017 13:41:06 +1000 teor teor2345@gmail.com wrote:
Use an exponentially-increasing timeout for the next login every time a login fails for a user. (Some sites do it for failed logins per IP address, too, but that's silly, because open proxies.) This is equivalent to an automatically-resetting lockout, but requires the attacker to spend as much time as the lockout time setting it up.
That seems hard to do given:
In general it can be configured to release the lock after some amount of time. However each visit to trac happens at Unix epoch by configuration, so the plugin would never release the lock. If we want to configure automatic unlocking, we would have to change our webserver settings (as far as I see it).
Without looking at the trac code. Maybe it's not.
Regards,