Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove sleep() from the password modules #1848

Merged
merged 1 commit into from Jun 19, 2020
Merged

Remove sleep() from the password modules #1848

merged 1 commit into from Jun 19, 2020

Conversation

leofeyer
Copy link
Member

Because

  1. the effect is marginal and can even encourage timing attacks,
  2. we already have real brute force protection for logins,
  3. it will mislead people to believe that sleep(2) is an appropriate means to mitigate brute force attacks (see Prevent brute force in ModuleCloseAccount #1769), which it is definitely not!

@leofeyer leofeyer added the bug label Jun 19, 2020
@leofeyer leofeyer added this to the 4.10 milestone Jun 19, 2020
@leofeyer leofeyer requested a review from a team June 19, 2020 13:49
@leofeyer leofeyer self-assigned this Jun 19, 2020
@leofeyer leofeyer mentioned this pull request Jun 19, 2020
Closed
@leofeyer leofeyer merged commit 333de5c into contao:master Jun 19, 2020
@leofeyer leofeyer deleted the fix/sleep branch June 19, 2020 14:37
AlexejKossmann pushed a commit to AlexejKossmann/contao that referenced this pull request Apr 6, 2021
@leofeyer
Remove sleep() from the password modules (see contao#1848)
b8c82fe 
Description
-----------

Because

1. the effect is marginal and can even encourage timing attacks,
2. we already have real brute force protection for logins,
3. it will mislead people to believe that `sleep(2)` is an appropriate means to mitigate brute force attacks (see contao#1769), which it is definitely not!

Commits
-------

1aaab19 Remove sleep() from the password modules
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ausi ausi ausi approved these changes

@Toflar Toflar Toflar approved these changes

@bytehead bytehead bytehead approved these changes

@fritzmg fritzmg fritzmg approved these changes

Assignees

@leofeyer leofeyer

Labels
bug
Projects
None yet
Milestone
4.10
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@leofeyer @ausi @Toflar @bytehead @fritzmg