[wp-hackers] Stronger default passwords
Kitty
kitty at mookitty.co.uk
Wed Dec 22 03:38:18 UTC 2004
On Tue, 2004-12-21 at 20:16, Mark Jaquith wrote:
> Why don't we just prompt the user for an admin password when we ask for
> email and blog name? As it is, we give it to them, so it's not like
> there's really a security problem. It'd sure save a lot of frustration
> for users who don't write down the admin password (yeah, me once). We
> could enforce minimum length or complexity if we wanted, too, if we
> wanted to make things more secure.
All good points, and all I really have to say is:
Most people putting up a blog don't have the necessary paranoia to pick
a password on a open to the internet login page[1]. We should definitely
continue to provide the password. I think it should be stronger.
Also waiting for a password stops the intall, which is not good.
[1] Look how surprised new users are when they get hit w/ comment spam.
Imagine the outrage of "How was I supposed to know that 'pumpkin' wasn't
a good password?[2]" They can change it after the install of course, but
it's out of our hands then.
[2] Even with validity checks, easy to dictionary passwords will be
chosen.
--
Cheers, Blog: http://blog.mookitty.co.uk
Kitty PC Repair: http://www.girltech.net
WP Plugins: http://mookitty.co.uk/devblog
Support proactive security: http://www.openbsd.org/orders.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : /pipermail/hackers_wordpress.org/attachments/20041221/77ec5616/attachment.bin
More information about the hackers
mailing list