[tor-project] Make it harder to brute-force Trac user passwords

Roger Dingledine arma at mit.edu
Tue Aug 8 05:12:28 UTC 2017

On Tue, Aug 08, 2017 at 01:41:06PM +1000, teor wrote:
> Use an exponentially-increasing timeout for the next login every time
> a login fails for a user. (Some sites do it for failed logins per IP
> address, too, but that's silly, because open proxies.) This is
> equivalent to an automatically-resetting lockout, but requires the
> attacker to spend as much time as the lockout time setting it up.

This was certainly the first one that came to my mind.

Though actually, I don't think there's any particular reason it needs
to be exponentially increasing. "0 seconds of delay for the first 4
attempts, then 60 seconds of delay for subsequent attempts" might do
the trick nicely.


More information about the tor-project mailing list