[wp-hackers] Stronger default passwords

Kitty kitty at mookitty.co.uk
Wed Dec 22 03:38:18 UTC 2004

On Tue, 2004-12-21 at 20:16, Mark Jaquith wrote:
> Why don't we just prompt the user for an admin password when we ask for 
> email and blog name?  As it is, we give it to them, so it's not like 
> there's really a security problem.  It'd sure save a lot of frustration 
> for users who don't write down the admin password (yeah, me once). We 
> could enforce minimum length or complexity if we wanted, too, if we 
> wanted to make things more secure.

All good points, and all I really have to say is:
Most people putting up a blog don't have the necessary paranoia to pick
a password on a open to the internet login page[1]. We should definitely
continue to provide the password. I think it should be stronger.

Also waiting for a password stops the intall, which is not good.

[1] Look how surprised new users are when they get hit w/ comment spam.
Imagine the outrage of "How was I supposed to know that 'pumpkin' wasn't
a good password?[2]" They can change it after the install of course, but
it's out of our hands then.

[2] Even with validity checks, easy to dictionary passwords will be
Cheers,		     Blog: http://blog.mookitty.co.uk
Kitty		     PC Repair: http://www.girltech.net
		     WP Plugins: http://mookitty.co.uk/devblog
Support proactive security: http://www.openbsd.org/orders.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : /pipermail/hackers_wordpress.org/attachments/20041221/77ec5616/attachment.bin

More information about the hackers mailing list