On Tue, 8 Aug 2017 13:41:06 +1000 teor <teor2345@xxxxxxxxx> wrote: > Use an exponentially-increasing timeout for the next login every time > a login fails for a user. (Some sites do it for failed logins per IP > address, too, but that's silly, because open proxies.) This is > equivalent to an automatically-resetting lockout, but requires the > attacker to spend as much time as the lockout time setting it up. That seems hard to do given: > In general it can be configured to release the lock after some amount > of time. However each visit to trac happens at Unix epoch by > configuration, so the plugin would never release the lock. If we want > to configure automatic unlocking, we would have to change our > webserver settings (as far as I see it). Without looking at the trac code. Maybe it's not. Regards, -- Yawning Angel
Attachment:
pgpFsKi60RvMH.pgp
Description: OpenPGP digital signature
_______________________________________________ tor-project mailing list tor-project@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project