[tor-project] Make it harder to brute-force Trac user passwords
teor
teor2345 at gmail.com
Tue Aug 8 03:41:06 UTC 2017
> On 7 Aug 2017, at 16:39, teor <teor2345 at gmail.com> wrote:
>
>> How should we set up trac regarding brute-forcing? Are there other
>> possibilities I missed? I'd love to hear your feedback on this.
>
> Use a compromised passwords list as a way of rejecting easily guessed
> passwords:
>
> https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/
>
> Require the trac replacement to support 2FA.
Enforce a minimum password length. (Any other requirements are
counter-productive, as machines aren't good at guessing entropy.)
Use an exponentially-increasing timeout for the next login every time
a login fails for a user. (Some sites do it for failed logins per IP
address, too, but that's silly, because open proxies.) This is
equivalent to an automatically-resetting lockout, but requires the
attacker to spend as much time as the lockout time setting it up.
Use some other kind of credential rather than a password.
(I'd find this inconvenient, because my other credentials are hard to
attach to some of the machines I use trac on.)
T
--
Tim Wilson-Brown (teor)
teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org
------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.torproject.org/pipermail/tor-project/attachments/20170808/c0619588/attachment.sig>
More information about the tor-project
mailing list