[wp-hackers] Limit Login Attempts

Andrew Nacin wp at andrewnacin.com
Wed Apr 17 15:12:37 UTC 2013

On Wed, Apr 17, 2013 at 10:40 AM, Chris Williams <chris at clwill.com> wrote:

> I'm not trying to solve the idiot user.  You can't help them from
> themselves.  I'm trying to kill this bot.

Except, that's nearsighted. We're talking about a massive botnet with
hundreds of thousands of IP addresses, likely growing in size by the day,
with the attacks likely to grow in complexity over time — and this is just
one botnet. This isn't just something you can stop, certainly not by a web
service. Maybe if every major (and minor) hosting company teamed up to
create a set of firewall rules that were constantly getting updated to
respond to evolving attacks, we could start to see some improvement. But
most of them are already doing this independently (and likely with some
collaboration), and it's still causing quite a bit of panic.

So, given these two facts:
 * The bot can succeed if you have a weak password
 * The bot can't succeed if you have a strong password

Should we put our efforts toward "trying to kill this bot", which given
that these massive and complex botnets are capable of disrupting the
Internet of entire countries is naïve? Or should we try to "solve the idiot
user"? I'm going to go with helping the user as much as possible.


More information about the wp-hackers mailing list