I like the timeout/delay idea for a failed password, and I very much like the IP block after a number of failed attempts, but I am not too fond of a complexity requirement. During development on my local machine (bound to localhost), my standard admin password is "a". I would have to have to deal with a complexity checker during development; and if we then say it will be enabled only for production but not dev, then we need more code and error-handling to manage the distinction, and it all becomes a lot of work. I think the safeguards that are currently in web2py are quite sufficient, and we can improve it a little bit more by penalizing brute force on the password, as pbreit pointed out is currently vulnerable.
- [web2py] Admin security: https vs localhost pbreit
- [web2py] Re: Admin security: https vs localhost Massimo Di Pierro
- [web2py] Re: Admin security: https vs localhost pbreit
- [web2py] Re: Admin security: https vs localhos... Massimo Di Pierro
- [web2py] Re: Admin security: https vs localhost cjrh
- [web2py] Re: Admin security: https vs localhos... pbreit
- [web2py] Re: Admin security: https vs loca... cjrh
- [web2py] Re: Admin security: https vs ... Ross Peoples
- [web2py] Re: Admin security: http... Ross Peoples
- [web2py] Re: Admin security: ... cjrh
- [web2py] Re: Admin securi... Ross Peoples
- [web2py] Re: Admin securi... Ross Peoples
- [web2py] Re: Admin securi... cjrh
- [web2py] Re: Admin securi... Ross Peoples
- [web2py] Re: Admin securi... cjrh
- [web2py] Re: Admin securi... Massimo Di Pierro
- Re: [web2py] Re: Admin se... Kenneth Lundström
- [web2py] Re: Admin securi... Anthony
- Re: [web2py] Re: Admin se... Caleb Hattingh
- [web2py] Re: Admin securi... Massimo Di Pierro
