[wp-trac] [WordPress Trac] #24673: provide mainline supported rename of wp-login

WordPress Trac noreply at wordpress.org
Tue Apr 1 04:46:25 UTC 2014 

#24673: provide mainline supported rename of wp-login
--------------------------+-----------------------
 Reporter:  jorhett       |       Owner:
     Type:  defect (bug)  |      Status:  reopened
 Priority:  normal        |   Milestone:
Component:  Security      |     Version:  3.5.2
 Severity:  critical      |  Resolution:
 Keywords:  close         |     Focuses:
--------------------------+-----------------------

Comment (by jorhett):

 I am deeply amused by people with no apparent knowledge or experience with
 security mechanisms making all sorts of claims about what actually
 improves security. This goes back to what I said before -- it's false
 dilemmas created by suggesting a false effort and comparing it to the
 current, with even more joy added by making allegations about what
 increases security that defy actual statistical analysis.

 Saying it because you believe it, does not make it truth. There is
 extensive history of security mechanisms that proves that *ANY* third
 factor improves security significantly. Granted that crypto-based hardware
 tokens are better than shared keys/salts, but not half as much as you
 might think.

 Furthermore, testing of "strong passwords" has generally proven that human
 limitations of what they can and will type into their devices combined
 with a strict limitation of acceptable characters produces *EASIER* to
 crack passwords, not harder ones.

 So please get off the "it ain't better because I said so" and consider
 real options. The REST API could just as easily have a configurable
 endpoint and/or extendable auth mechanism. I build these things daily,
 this would be trivial for you to support.

 If you build it with a single termination point, just like you've built
 your current auth mechanism, you'll continue to be the market leader in
 p0wn3d sites. You have ~50% of the CMS market at best, but 90% of the
 p0wn3d sites. When is that going to matter to you?

--
Ticket URL: <https://core.trac.wordpress.org/ticket/24673#comment:17>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list