authboss v2.4.1 Release Notes

Release Date: 2020-05-18 // almost 4 years ago
  • 🛠 Fixed

    🛠 Fix a security issue where a user could brute-force a password based on differing responses that are returned from the site when the incorrect password is entered versus the correct password.

    This comes with a slight change in behavior to minimize differences between the code paths of a correct vs incorrect password: The "attempt" time is always ⬆️ bumped in the DB no matter if it was the right or wrong password when being rejected for locking.