[tor-project] Make it harder to brute-force Trac user passwords

Yawning Angel yawning at schwanenlied.me
Tue Aug 8 05:30:53 UTC 2017

On Tue, 8 Aug 2017 13:41:06 +1000
teor <teor2345 at gmail.com> wrote: 
> Use an exponentially-increasing timeout for the next login every time
> a login fails for a user. (Some sites do it for failed logins per IP
> address, too, but that's silly, because open proxies.) This is
> equivalent to an automatically-resetting lockout, but requires the
> attacker to spend as much time as the lockout time setting it up.

That seems hard to do given:
> In general it can be configured to release the lock after some amount
> of time. However each visit to trac happens at Unix epoch by
> configuration, so the plugin would never release the lock. If we want
> to configure automatic unlocking, we would have to change our
> webserver settings (as far as I see it).

Without looking at the trac code.  Maybe it's not.


Yawning Angel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-project/attachments/20170808/958a5449/attachment.sig>

More information about the tor-project mailing list