This can work. On 13 Jul 2011, at 2:55 AM, Anthony <[email protected]> wrote:
> If you add a complexity requirement, make it for remote connections only. > > Anthony > > On Tuesday, July 12, 2011 6:32:48 PM UTC-4, Massimo Di Pierro wrote: > we can make a delay default to 1 second and double it every failed > attempt. > we should add complexity. I would take a patch or add an issue in > google code. > > On Jul 12, 8:01 am, cjrh <[email protected]> wrote: > > I like the timeout/delay idea for a failed password, and I very much like > > the IP block after a number of failed attempts, but I am not too fond of a > > complexity requirement. During development on my local machine (bound to > > localhost), my standard admin password is "a". I would have to have to > > deal > > with a complexity checker during development; and if we then say it will be > > enabled only for production but not dev, then we need more code and > > error-handling to manage the distinction, and it all becomes a lot of work. > > I think the safeguards that are currently in web2py are quite sufficient, > > and we can improve it a little bit more by penalizing brute force on the > > password, as pbreit pointed out is currently vulnerable.
