[wp-trac] [WordPress Trac] #21737: Users should have to jump through hoops to set passwords of their choosing, and we should guard better against weak passwords
WordPress Trac
noreply at wordpress.org
Thu Apr 18 00:39:15 UTC 2013
#21737: Users should have to jump through hoops to set passwords of their choosing,
and we should guard better against weak passwords
-----------------------------+------------------------------
Reporter: markjaquith | Owner: westi
Type: feature request | Status: accepted
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: |
-----------------------------+------------------------------
Comment (by iandunn):
Replying to [comment:27 clwill]:
> The lesson to be learned from that is if you reduce if from
1000guesses/sec to 10guesses/day the timeframe turns into millennia,
regardless of password strength.
Are you proposing that Core place a hard limit on the number of times per
day a user can fail a login attempt? The problem with doing that is that
it can easily be abused to lock the user out of their account. All an
attacker has to do is login with an incorrect password 10x per day, and
the legitimate user can never log in.
Even if you do it based on IP rather than the user account, modern botnets
will coordinate their attack to vary the IP with each attempt, and can
have massive IP pools.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/21737#comment:28>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list