Manuel Vacelet (vaceletm)2016-01-21 17:22 Thanks for the explanation, I was no longer remembering why this change. Status changed from Verified to ClosedAssigned to changed from None to Thomas Gerbet (tgerbet)Close date set to 2016-01-21
Thomas Gerbet (tgerbet)2016-01-21 14:57 Indeed there was a sort of protection in a older Tuleap version. It was removed, you can see request #7754. The protection was inefficient and it was not possible to make it efficient without impacting legitimate users. Blocking brute force attack in this context is not really easy. We do not want to introduce the possibility of denial of service attacks or add a new possibility to enumerate users. Instead of using some kind of timeout/lock out account technique we could probably use a CAPTCHA to make the attack harder to realize. Also, multi factor authentication could help if your password is compromised. However for this issue the answer is not only technical. Brute force attacks are not realistic on a login form (too slow, way too slow...) when your users use a strong password so we should find ways to encourage that. TLDR: I do want to reintroduce this protection as is in Tuleap as it is useless and could even be dangerous. Status changed from New to Verified