[tor-project] Make it harder to brute-force Trac user passwords
Roger Dingledine
arma at mit.edu
Tue Aug 8 05:12:28 UTC 2017
On Tue, Aug 08, 2017 at 01:41:06PM +1000, teor wrote:
> Use an exponentially-increasing timeout for the next login every time
> a login fails for a user. (Some sites do it for failed logins per IP
> address, too, but that's silly, because open proxies.) This is
> equivalent to an automatically-resetting lockout, but requires the
> attacker to spend as much time as the lockout time setting it up.
This was certainly the first one that came to my mind.
Though actually, I don't think there's any particular reason it needs
to be exponentially increasing. "0 seconds of delay for the first 4
attempts, then 60 seconds of delay for subsequent attempts" might do
the trick nicely.
--Roger
More information about the tor-project
mailing list