jeena
commented
11 years ago Yeah that is a good idea to sleep(1) if you put in the wrong password.
Open RobbBienert opened 11 years ago
jeena
commented
11 years ago Yeah that is a good idea to sleep(1) if you put in the wrong password.
RobbBienert
commented
11 years ago Hm, I guess a general sleep(1) could be the better choice (+ another second(s) for wrong pw), because otherwise an attacker could measure the Jlog response and detect a wrong password a bit earlier. But the legetimate admin shouldn't care about this short delay (I don't and I wrote a small plugin DelayedLogin that generally sleeps 1 second).
jeena
commented
11 years ago But isn't it like normal login into a unix machine works too? If you have the right login you get in, if not it waits a bit and slows you down. On the other side, if I do brutforce then I don't wait for the answer I just bombard the server with parallell questions.
RobbBienert
commented
11 years ago Brutforcing is the reason why I suggest in general a small delay, for example before triggering the dispatchLogin hook. At this stage Jlog either waits the delay before supplying the login form or before processing the login attempt.
Modern operating systems let an attacker some seconds wait before a next try if he typed a wrong password. This could easily be implemented in admin/login.php, but should it be done? Or may we generally
sleep(1)before showing the login form?