> On 7 Aug 2017, at 16:39, teor <teor2345@xxxxxxxxx> wrote: > >> How should we set up trac regarding brute-forcing? Are there other >> possibilities I missed? I'd love to hear your feedback on this. > > Use a compromised passwords list as a way of rejecting easily guessed > passwords: > > https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/ > > Require the trac replacement to support 2FA. Enforce a minimum password length. (Any other requirements are counter-productive, as machines aren't good at guessing entropy.) Use an exponentially-increasing timeout for the next login every time a login fails for a user. (Some sites do it for failed logins per IP address, too, but that's silly, because open proxies.) This is equivalent to an automatically-resetting lockout, but requires the attacker to spend as much time as the lockout time setting it up. Use some other kind of credential rather than a password. (I'd find this inconvenient, because my other credentials are hard to attach to some of the machines I use trac on.) T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
Attachment:
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ tor-project mailing list tor-project@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project