#23120: Make it harder to brute-force Trac user passwords ----------------------------------------------+------------------------ Reporter: gk | Owner: qbi Type: defect | Status: closed Priority: Medium | Milestone: Component: Internal Services/Service - trac | Version: Severity: Normal | Resolution: fixed Keywords: | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: ----------------------------------------------+------------------------ Changes (by qbi):
* status: new => closed * resolution: => fixed Comment: The `trac.ini` has now the following settings: {{{ login_attempt_max_count = 17 user_lock_max_time = 10 }}} This means that after 17 failed attempts the account will be locked. A normal user who wants to log in through the website would not take those many attempts. So the assumption is that it is a automatic approach. The second line means that the account will be locked for 10 seconds. This is just a workaround. According to the [https://trac- hacks.org/wiki/CookBook/AccountManagerPluginConfiguration CookBook] it should be `0`. However when it is set trac throws an error. Due to the fact that every user visits this site at the same time the 10 seconds also results in a indefinite time. If a user's login was locked the user can contact the trac admin to unlock the account. So it can use the `cypherpunks` account to create a ticket or contact us in other ways. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23120#comment:1> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs