[wp-hackers] Admin Login Brute Force Attacks
Ian Dunn
ian at iandunn.name
Wed Mar 20 22:21:13 UTC 2013
Do you mean they'll have no effect on preventing the login attempts, in
the way that IP banning does? I'd agree with that, but I don't think
that's the only way to have an effect.
The reason I thought it was relevant was because a simple password like
"ilovefluffy" would take a script a few hours/days to crack, while a
WP-generated password like "'}?(x${G9oYRM.7" would take years/decades
(via HTTP, but obviously much less if they had the db hash).
I do think you make a good point about frustrating users, though, which
can often have the unintended consequence of encouraging them to adopt
insecure practices to make things more convenient for themselves (e.g.,
writing the new password on a stickynote because it's too complex to
memorize.). For computer-literate users, I think encouraging them to use
a password manager might be a good idea, but that would be too
complicated for some beginners.
On 03/20/2013 02:44 PM, Chris Williams wrote:
> Stricter password rules have virtually no effect on brute force attacks,
> they simply infuriate legitimate users.
>
> On 3/20/13 1:29 PM, "Ian Dunn" <ian at iandunn.name> wrote:
>
>> #21737 will tighten password rules.
More information about the wp-hackers
mailing list