Hi Jacqui, --- Jacqui Cook <[EMAIL PROTECTED]> wrote: > Issues 2. Removing the password unintentially allows the login to be > used to > test user names. > We can put the password back tomorrow. It was removed for other > reasons, > but given the severity of this - this can be done tomorrow.
Can we be notified somehow of failed login attempts? This would increase security immeasurably, if we were emailed (perhaps to multiple email addresses) every time someone used a bad password (this would deter brute force cracking attempts). Also, perhaps the RWI should list the past 20 login IP addresses (and time-stamps, and maybe browser agents, and other things that can be autodetected with Javascript), not just the prior 1. This would allow better intrusion detection. If it's possible to change our login name (on a one-time basis), that would help too. Sincerely, George Kirikos http://www.kirikos.com/
