Remove sleep() from the password modules (see #1848)

Description ----------- Because 1. the effect is marginal and can even encourage timing attacks, 2. we already have real brute force protection for logins, 3. it will mislead people to believe that `sleep(2)` is an appropriate means to mitigate brute force attacks (see #1769), which it is definitely not! Commits ------- 1aaab19 Remove sleep() from the password modules
contao · Jun 19, 2020 · 333de5c · 333de5c
1 parent 9736169
commit 333de5c
Show file tree

Hide file tree

Showing 2 changed files with 0 additions and 2 deletions.
diff --git a/core-bundle/src/Resources/contao/modules/ModuleChangePassword.php b/core-bundle/src/Resources/contao/modules/ModuleChangePassword.php
@@ -150,7 +150,6 @@ protected function compile()
 					{
 						$objWidget->value = '';
 						$objWidget->addError($GLOBALS['TL_LANG']['MSC']['oldPasswordWrong']);
-						sleep(2); // Wait 2 seconds while brute forcing :)
 					}
 				}
 

diff --git a/core-bundle/src/Resources/contao/modules/ModulePassword.php b/core-bundle/src/Resources/contao/modules/ModulePassword.php
@@ -152,7 +152,6 @@ protected function compile()
 
 			if ($objMember === null)
 			{
-				sleep(2); // Wait 2 seconds while brute forcing :)
 				$this->Template->error = $GLOBALS['TL_LANG']['MSC']['accountNotFound'];
 			}
 			else