[tor-project] Make it harder to brute-force Trac user passwords

teor teor2345 at gmail.com
Tue Aug 8 03:41:06 UTC 2017

> On 7 Aug 2017, at 16:39, teor <teor2345 at gmail.com> wrote:
>> How should we set up trac regarding brute-forcing? Are there other
>> possibilities I missed? I'd love to hear your feedback on this.
> Use a compromised passwords list as a way of rejecting easily guessed
> passwords:
> https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/
> Require the trac replacement to support 2FA.

Enforce a minimum password length. (Any other requirements are
counter-productive, as machines aren't good at guessing entropy.)

Use an exponentially-increasing timeout for the next login every time
a login fails for a user. (Some sites do it for failed logins per IP
address, too, but that's silly, because open proxies.) This is
equivalent to an automatically-resetting lockout, but requires the
attacker to spend as much time as the lockout time setting it up.

Use some other kind of credential rather than a password.
(I'd find this inconvenient, because my other credentials are hard to
attach to some of the machines I use trac on.)


Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
xmpp: teor at torproject dot org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.torproject.org/pipermail/tor-project/attachments/20170808/c0619588/attachment.sig>

More information about the tor-project mailing list