[wp-hackers] Admin Login Brute Force Attacks

Ian Dunn ian at iandunn.name
Wed Mar 20 22:21:13 UTC 2013

Do you mean they'll have no effect on preventing the login attempts, in 
the way that IP banning does? I'd agree with that, but I don't think 
that's the only way to have an effect.

The reason I thought it was relevant was because a simple password like 
"ilovefluffy" would take a script a few hours/days to crack, while a 
WP-generated password like "'}?(x${G9oYRM.7" would take years/decades 
(via HTTP, but obviously much less if they had the db hash).

I do think you make a good point about frustrating users, though, which 
can often have the unintended consequence of encouraging them to adopt 
insecure practices to make things more convenient for themselves (e.g., 
writing the new password on a stickynote because it's too complex to 
memorize.). For computer-literate users, I think encouraging them to use 
a password manager might be a good idea, but that would be too 
complicated for some beginners.

On 03/20/2013 02:44 PM, Chris Williams wrote:
> Stricter password rules have virtually no effect on brute force attacks,
> they simply infuriate legitimate users.
> On 3/20/13 1:29 PM, "Ian Dunn" <ian at iandunn.name> wrote:
>> #21737 will tighten password rules.

More information about the wp-hackers mailing list