• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

The 4 digit password takes only 10000 (on average 5000) tries to crack.

So you can reset a password and brute force in very few hours.

More digits should be added. More than 10 when it is digits I would say.

It is not a PIN code on a credit card where you only have 3 tries. You can continue brute forcing as long as you want.

KJL

Sounds like something we'd want BlackListPlugin to handle (template based login).

I suggest this is not urgent to the release?

I see the problem with regards to apache basic auth, though, a few more digits wouldn't hurt there. - One good reason not to run basic auth smile

-- SP

You suggest this is not urgent???

I can reset the admins password and login with an hour. That is serious. Security cannot be compromized with. TWiki cannot survive more security scandals. We cannot rely on a plugin to handle the basic security. And for example I do not use Template login and should not be forced to.

It must be the easiest thing in the world to add more digits to the generated password.

I changed back to engine and not BlacklistPlugin.

KJL

OK, this breaks string freeze, though. But it seems Antonio committed some errors in the last run, this may make it anyway.

This only raises time taken to do a hack, administrators insisting on basic auth should at least use something like http://search.cpan.org/~swampfox/Apache-AuthChecker-1.00/AuthChecker.pm.

Perhaps we should promote that in docs?

SVN 8484.

-- SP

The password need not be numeric.

See TWiki:Codev/BetterPasswordGeneration

-- AJA

ItemTemplate
Summary The reset password and registration generated password is too easy to crack
ReportedBy TWiki:Main.KennethLavrsen
Codebase

SVN Range Sun, 22 Jan 2006 build 8439
AppliesTo Engine
Component

Priority Urgent
CurrentState Closed
WaitingFor

Checkins 8484
TargetRelease n/a
Edit | Attach | Watch | Print version | History: r8 < r7 < r6 < r5 < r4 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r8 - 2006-03-16 - AntonAylward
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback