[wp-hackers] Maybe a secure-hole
Aaron D. Campbell
aaron at xavisys.com
Thu Oct 9 17:05:03 GMT 2008
I agree that "Knowing the username gets you no closer to finding the
password" and I'd agree that I don't consider it a "security risk" or
"security hole." However, I do thing that knowing the username gets you
closer to getting into the system, and that changing the default "admin"
login to something else DOES improve security. Maybe not by a lot, but
it does. You need a matching username/pass to get in, and if you don't
know either it will take you longer to break in by brute force than if
you have one of the two.
Otto wrote:
> The username is not protected information. The password is. Knowing
> the username gets you no closer to finding the password, and is not a
> security risk at all.
>
> Along the same lines, changing the default "admin" to something else
> is also not a security improvement. I generally do change it because I
> like using a different login name, but it doesn't help security one
> little bit.
>
> Nobody ever hacks a WordPress blog by figuring out the username and password.
>
More information about the wp-hackers
mailing list