https://bugzilla.wikimedia.org/show_bug.cgi?id=61101

Neozoon <neoz...@gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |neoz...@gmx.net

--- Comment #10 from Neozoon <neoz...@gmx.net> ---
I think it is not a good idea to install the PasswordMaxLoginFailed check if it
really disables the account. 

The accountnames are all known. There are only 9 admin accounts (all login
names known) that need to be attacked and the OTRS is locked down if an
attacker does 90 login attempts with these accounts. 

This risk is much higher than the risk of a brute force attack on passwords
that would require massive amount of login attempts and can not be successful
if the passwordstrength rules are enabled. 

Best regards
Neozoon

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to