[wp-hackers] Securing Wordpress Login
Doug Stewart
dstewart at atl.lmco.com
Tue Aug 22 13:32:23 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Arne Brachhold wrote:
> Viper007Bond wrote:
>> I'm all for blocking people from the login from after X fails, but
>> changing
>> passwords and forcing secure passwords is retarded IMO.
>
> Definitely. I've never seen a web application / service which changed
> my password without my request.
>
>> Sure, a strength _indicator_ would be cool, but forcing?
>
> No, never force it, just mark it as "Bad" so people can decide. Not
> every blog needs a super-secure-10-chacrater password.
>
> All we need is a solution to slow down automated attacks but without
> annoying the actual user.
>
Why not add a concept of "safe IPs" or somesuch? Allow admins to
specify their home IP address (well, assuming they've got a static
one...) as a failsafe IP. Login attempts coming from anywhere else are
subject to account suspensions, etc., while the home IP is always kept
open as an option of last resort.
I'd just hate to have people DoS'd by jerks attempting to log in, as
previously pointed out, every 19 seconds or so.
- --
- ----------
Doug Stewart
Senior Systems Administrator/Web Applications Developer
Lockheed Martin Advanced Technology Labs
dstewart at atl.lmco.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFE6wdmN50Q8DVvcvkRAtqHAJ9IMQgEW25yH/eCtiPfUfm+3MTt6wCfVuS/
+lkfORjPjnQYBMspKklgKAI=
=hslz
-----END PGP SIGNATURE-----
More information about the wp-hackers
mailing list