在 2013-9-6 AM3:25,"Tristan Santore" <tristan.santore@xxxxxxxxxxxxxxxxxxxxx>写道:
> I have another idea. Could we not do a password check, and if the
> password is correct, provide the 2fa interface, if then a user does
> not enter the 2fa, an email is send to the actual user informing of a
> failed login attempt, with the date and time and maybe IP ?
>
> Does this sound more secure to anyone else ?
Wow... that would be great. This is the most serious case we should care about.
IMHO We should pretend to be "normal" when we meet such case like mailman subscribe, but I think we also should notify users when $(TIMES) times wrong password entered. $(TIMES) can be set by users, after limited times if wrong password comes again we should block the IP.
My blog use plugin with my modification:
If attacker has entered wrong password for 1 times(I set it to 1 because this case is suitable for me), then if attacker tries to storm my account for the third time, its IP will be blocked 10000 mins. So I won't receive too many emails about failed login attempt, but I don't know if Fedora Infra wants to support this way...
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure