[TYPO3-core] RFC: #11368: ENABLE_INSTALL_TOOL file should be ignored if older than one hour
Steffen Müller
typo3 at t3node.com
Mon Jun 22 11:58:31 CEST 2009
Hi.
On 22.06.2009 11:43 Marc Wöhlken wrote:
> I don't believe deleting that file after any given period of time is a
> proper solution to this problem (weak passwords) - it will only make
> working with the install tool less convenient.
>
I don't think so. The problem is not only weak passwords, but
unnecessary login possibility which can be avoided.
Even if you use strong passwords, chances are that open login attracts
hackers. Strong passwords statistically minimize break-in chances, but
you'll never know if the hacker brute force sets a lucky punch ;-)
> If we want better install tool security we should work on enforcing
> better passwords (e.g. by requiring a certain length and chars from
> different sets of chars like letters, numeric, etc.) or try to make
> brute force hack attempts impossible (by loggig unsuccessfull attempts
> and lock the install tool for a given IP).
>
Sounds like a valuable additional feature, e.g. a password quality
checker implemented as a service. But this is OT here.
--
cheers,
Steffen
TYPO3 Blog: http://www.t3node.com/
Blubber on Twitter: http://twitter.com/t3node
More information about the TYPO3-team-core
mailing list