Comment # 6 on bug 1078111 from Nicolas ��vrard

Hello everyone,

I am glad to have a 3rd party look over this issue that was met with so much
hostility. I am not here to start again a feud with Axel or Luis (in fact I
suggested to Axel to start a discussion here about this issue).

Yet I have some criticism regarding Luis' solution. The original patch removed
the exponential wait process we had (against brute force attack), it was its
main issue. I am glad to see that Luis is ready to drop this part of the patch.

Let me explain why we're keeping the records in the database and we want to
keep it this way. First of all, you could have multiple trytond instances
running on different computers sharing only the database, so storing the number
of failed login in the database is a natural solution. We also have to keep in
mind that trytond can run in multiple environment: Linux, BSD and there might
be even few people using Windows ; of course this doesn't concern openSUSE but
it concerns us. The proposed solution will have to work for those platforms ��� I
don't about the status of systemd on openbsd, but I am afraid it does not work
at all ;).

A solution to mitigate the growth of the LoginAttempt table might be to keep
track of the IP making the attempt and keeping at most X attempts from the same
IP. In fact after some research it seems that it is the solution that drupal
chose:
https://api.drupal.org/api/drupal/modules!user!user.module/function/user_login_authenticate_validate/7.x

About the "failed_login_timeout" parameter, I think it is not a good idea as it
removes the whole brute force protection mechanism that we have. Moreover you
skip the wait after max_attempt has been made (by default 5) thus people will
wait (with the default settings) a maximum of 32 seconds after their fifth
wrong login attempt. This seems reasonable given the fact that people gave a
wrong password already 5 times.