Closed ThomasTJdev closed 5 years ago
juancarlospaco
commented
5 years ago 2FA you only have 30 Seconds to Brute Force, with using >10 chars password, makes it almost impossible, Is this needed :grey_question:
I think that with 2FA,Recaptcha and Firejail we are pretty much covered on security, theres other stuff to improve, like the info on the demo page, design, themes, etc. Lets add code were is needed...
ThomasTJdev
commented
5 years ago I have no need for the timeout, it was because of our discussion at PR #39 where you linked to the CPU in case of bruteforcing. I would just like to move the 2FA to a "next page", so it's not shown to users, who is not using 2FA.
Yep, it's low priority compared to the topics you listed.
juancarlospaco
commented
5 years ago Oh, thats completely different :grey_exclamation: I misunderstood. Feel free to move 2FA to an intermediate page. :+1:
1) Block bruteforce attempt based on IP address. Max n-try and wait for x-minutes before retry.
2) After successful username and password, limit time to x-seconds and x-retry 2fa, before username and password are required again.
This will take of some serverload and a improve UI for users not using 2fa.
@juancarlospaco, this way we still prevent bruteforcing the 2fa due to a timelimit and max retry. Would that be a okay solution?