[tor-bugs] #23120 [Internal Services/Service - trac]: Make it harder to brute-force Trac user passwords
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Aug 5 22:36:12 UTC 2017
#23120: Make it harder to brute-force Trac user passwords
----------------------------------------------+------------------------
Reporter: gk | Owner: qbi
Type: defect | Status: closed
Priority: Medium | Milestone:
Component: Internal Services/Service - trac | Version:
Severity: Normal | Resolution: fixed
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
----------------------------------------------+------------------------
Changes (by qbi):
* status: new => closed
* resolution: => fixed
Comment:
The `trac.ini` has now the following settings:
{{{
login_attempt_max_count = 17
user_lock_max_time = 10
}}}
This means that after 17 failed attempts the account will be locked. A
normal user who wants to log in through the website would not take those
many attempts. So the assumption is that it is a automatic approach.
The second line means that the account will be locked for 10 seconds. This
is just a workaround. According to the [https://trac-
hacks.org/wiki/CookBook/AccountManagerPluginConfiguration CookBook] it
should be `0`. However when it is set trac throws an error. Due to the
fact that every user visits this site at the same time the 10 seconds also
results in a indefinite time.
If a user's login was locked the user can contact the trac admin to unlock
the account. So it can use the `cypherpunks` account to create a ticket or
contact us in other ways.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23120#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list