that cannot be done. The admin password is set locally always, never remotely (unless you change it via admin).
On Jul 12, 7:55 pm, Anthony <[email protected]> wrote: > If you add a complexity requirement, make it for remote connections only. > > Anthony > > > > > > > > On Tuesday, July 12, 2011 6:32:48 PM UTC-4, Massimo Di Pierro wrote: > > we can make a delay default to 1 second and double it every failed > > attempt. > > we should add complexity. I would take a patch or add an issue in > > google code. > > > On Jul 12, 8:01 am, cjrh <[email protected]> wrote: > > > I like the timeout/delay idea for a failed password, and I very much like > > > > the IP block after a number of failed attempts, but I am not too fond of > > a > > > complexity requirement. During development on my local machine (bound to > > > > localhost), my standard admin password is "a". I would have to have to > > deal > > > with a complexity checker during development; and if we then say it will > > be > > > enabled only for production but not dev, then we need more code and > > > error-handling to manage the distinction, and it all becomes a lot of > > work. > > > I think the safeguards that are currently in web2py are quite > > sufficient, > > > and we can improve it a little bit more by penalizing brute force on the > > > password, as pbreit pointed out is currently vulnerable.
