[TYPO3-core] RFC: #11368: ENABLE_INSTALL_TOOL file should be ignored if older than one hour
Marc Wöhlken
woehlken at quadracom.de
Mon Jun 22 12:11:32 CEST 2009
Hi Steffen!
Steffen Müller schrieb:
> On 22.06.2009 11:43 Marc Wöhlken wrote:
>> I don't believe deleting that file after any given period of time is a
>> proper solution to this problem (weak passwords) - it will only make
>> working with the install tool less convenient.
>>
>
> I don't think so. The problem is not only weak passwords, but
> unnecessary login possibility which can be avoided.
> Even if you use strong passwords, chances are that open login attracts
> hackers. Strong passwords statistically minimize break-in chances, but
> you'll never know if the hacker brute force sets a lucky punch ;-)
If we require a password with at least 10 alphanumeric characters the
chances of succesfull brute force attacks are reduced to 1/36^10 which
is about 2e-16. Locking the install tool after 3 unsuccessfull attempts
will reduce the probability to a number nearly as low as the risk of a
spontaneous ram error negating the result of our password check and
causing the acceptance of a wrong password.
Regards Marc
--
...........................................................
Marc Wöhlken TYPO3 certified intregator
Quadracom - Proffe & Wöhlken
Rembertistraße 32 WWW: http://www.quadracom.de
D-28203 Bremen E-Mail: woehlken at quadracom.de
______________ PGP-Key: http://pgp.quadracom.de
More information about the TYPO3-team-core
mailing list