On Tuesday, July 12, 2011 3:33:13 AM UTC-4, pbreit wrote: > > If I'm not mistaken, without the localhost requirement, a fraudster can go > to /admin and run a pretty simple dictionary attack since they only need to > guess the password.
Alternatively, you could just use a strong random password on production (and change it periodically). I use Roboform to generate and remember 20+ character random passwords (another good option is Lastpass). Even with some of the other protections being discussed, this is still a good idea. Anthony
