authboss v2.4.1 Release Notes
Release Date: 2020-05-18 // almost 4 years ago-
🛠 Fixed
🛠 Fix a security issue where a user could brute-force a password based on differing responses that are returned from the site when the incorrect password is entered versus the correct password.
This comes with a slight change in behavior to minimize differences between the code paths of a correct vs incorrect password: The "attempt" time is always ⬆️ bumped in the DB no matter if it was the right or wrong password when being rejected for locking.