Please don´t make a mandotary complexity. On my dev site I use a simple
password and it doesn´t bother me if somebody breaks in.
Delay sounds good.
Kenneth
we can make a delay default to 1 second and double it every failed
attempt.
we should add complexity. I would take a patch or add an issue in
google code.
On Jul 12, 8:01 am, cjrh<caleb.hatti...@gmail.com> wrote:
I like the timeout/delay idea for a failed password, and I very much like
the IP block after a number of failed attempts, but I am not too fond of a
complexity requirement. During development on my local machine (bound to
localhost), my standard admin password is "a". I would have to have to deal
with a complexity checker during development; and if we then say it will be
enabled only for production but not dev, then we need more code and
error-handling to manage the distinction, and it all becomes a lot of work.
I think the safeguards that are currently in web2py are quite sufficient,
and we can improve it a little bit more by penalizing brute force on the
password, as pbreit pointed out is currently vulnerable.
