On Tuesday, July 12, 2011 9:33:13 AM UTC+2, pbreit wrote: > > If I'm not mistaken, without the localhost requirement, a fraudster can go > to /admin and run a pretty simple dictionary attack since they only need to > guess the password.
Ok, as opposed to being required to know server, user and pass for a similar SSH attack? This is a good point. Perhaps we should add a slight delay in login processing for admin? At least we can make brute force intractable.
