On Tue, Aug 15, 2017 at 8:26 PM, Daniel Gustafsson <daniel@yesql.se> wrote:
> On 15 Aug 2017, at 12:18, Magnus Hagander <magnus@hagander.net> wrote: > > Here's an updated patch
In the below hunk, s/decicated/dedicated/:
+a decicated account, or use one of the third party sign-in systems below.
Fixed in local dev branch.
Without being terribly well versed in Django (or Python), the logic seems quite reasonable to me on a read through/review.
Thanks.
> that does this. It will try in order: > <firstname><lastinitial>, e.g. stephenf > <firstinitial><lasdtname>,e.g. sfrost > <firstname><lastinitial><number>, e.g. stephenf0, stephenf1, stephenf2 etc
How about a random number instead? Not that I see any immediate risk with anything here, but many years of looking at logs from web attacks has taught me that predictability is what is being tried first.
I'm not really sure what the attack scenario would be though? I think the sequential one would generally generate a nicer name, and we're not trying an infinite number. Plus to even get there you must have logged in with a google (or something) accoun tthat already failed the first two checks. And if you then want to do it again, you have to create another third party account and loop over it...