I am quite new to WordPress but from what I know from other systems lets me propose some improvements to the handling of passwords. Primerily, I am targeting at password protected pages but it also is true for the general login.
WordPress stores user names and passwords for 10 days permanent in a cookie. This is bad when e.g. working from a Internet Cafe. I mean, who remembers to delete all cookies when leaving the place…?
A better solution would be to make this default an option when login (like “remember me: yes/no”). Then user actually knows and can choose.
For the time being one can switch off the default complete by replacing the expiry in setcookie with NULL in functions.php lines 1173, 1174, 1777, 1778 and wp-pass.php line 8.
Oh, one last thing. Usually when prompting for a password one should use a password input field and not a text input field. WordPress does not do so for protected pages. Replace type=”text” by type=”password” in template-functions-post.php line 6 to change that.
- The topic ‘Default saving passwords for 10 days insecure?’ is closed to new replies.