Re: [tor-project] Make it harder to brute-force Trac user passwords

[Roger Dingledine <arma@xxxxxxx>]

On Tue, Aug 08, 2017 at 01:41:06PM +1000, teor wrote:
> Use an exponentially-increasing timeout for the next login every time
> a login fails for a user. (Some sites do it for failed logins per IP
> address, too, but that's silly, because open proxies.) This is
> equivalent to an automatically-resetting lockout, but requires the
> attacker to spend as much time as the lockout time setting it up.

This was certainly the first one that came to my mind.

Though actually, I don't think there's any particular reason it needs
to be exponentially increasing. "0 seconds of delay for the first 4
attempts, then 60 seconds of delay for subsequent attempts" might do
the trick nicely.

--Roger

_______________________________________________
tor-project mailing list
tor-project@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project