#23120: Make it harder to brute-force Trac user passwords
 Reporter:  gk                                |          Owner:  qbi
     Type:  defect                            |         Status:  closed
 Priority:  Medium                            |      Milestone:
Component:  Internal Services/Service - trac  |        Version:
 Severity:  Normal                            |     Resolution:  fixed
 Keywords:                                    |  Actual Points:
Parent ID:                                    |         Points:
 Reviewer:                                    |        Sponsor:
Changes (by qbi):

 * status:  new => closed
 * resolution:   => fixed


 The `trac.ini` has now the following settings:

 login_attempt_max_count = 17
 user_lock_max_time = 10
 This means that after 17 failed attempts the account will be locked. A
 normal user who wants to log in through the website would not take those
 many attempts. So the assumption is that it is a automatic approach.

 The second line means that the account will be locked for 10 seconds. This
 is just a workaround. According to the [https://trac-
 hacks.org/wiki/CookBook/AccountManagerPluginConfiguration CookBook] it
 should be `0`. However  when it is set trac throws an error. Due to the
 fact that every user visits this site at the same time the 10 seconds also
 results in a indefinite time.

 If a user's login was locked the user can contact the trac admin to unlock
 the account. So it can use the `cypherpunks` account to create a ticket or
 contact us in other ways.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23120#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
tor-bugs mailing list

Reply via email to