Daniel Convissor
Forum Replies Created
-
Dom:
Okay, I was just checking if your server is behind a proxy or something. It’s not.
Which version of LSS was in use when you and your user got locked out?
Yeah, email me a dump of the
failtable if you can, please. And let me know your and your user’s user names.Thanks,
–Dan
Forum: Plugins
In reply to: [Login Security Solution] [Plugin: Login Security Solution] NOT RECOMMENDEDHi:
I was not asking for specific details about your site.
I’m looking for an outline of why you think LSS didn’t work. Your saying the attackers were able to “bounce off 80+ tries before we had to interfere manually” is a start.
How many minutes did it take them to make those hits?
Thanks,
–Dan
Dom (and Jason too):
I’m still curious why y’all are running into this in the first place. Can you run the following query for me (edit the
<prefix>first, of course):SELECT COUNT(*), ip, MAX(date_failed) FROM <prefix>login_security_solution_fail GROUP BY ip ORDER BY COUNT(*);Thanks,
–Dan
Jason and Dom:
Can you please email me or provide access to your
<prefix>login_security_solution_failtables?danielc@analysisandsolutions.com
Thanks,
–Dan
Forum: Plugins
In reply to: [Login Security Solution] [Plugin: Login Security Solution] NOT RECOMMENDEDHi:
Would you be so kind as to explain the scenario under which it doesn’t work, please?
Thanks,
–Dan
Hi Jason:
The plugin has an automatic whitelist process. Whenever someone updates their password, the IP is stored for future reference. Notices may still get sent depending on the timing of attacks and legitimate logins, so users can make sure nothing bad is happening, but the password reset process is not required.
Thanks,
–Dan
Hi Rubin:
LSS’ timeout is totally separate from WP’s.
–Dan
Dean:
Thanks for the detailed explanation of your thoughts.
For the record here, the external link has been removed in release 0.27.0.
That Apple UI with the bullet points is exactly the concept I had in mind with the “check list kind of thing” mentioned in the “https and multisite problems” thread.
I’ll reply with more details once I have time to gather my thoughts.
Thanks,
–Dan
It’s been removed in the 0.27.0 release.
Further password policy UI discussions will take place in the “Password policy link to explanation” thread.
Further password policy UI discussions will take place in the “Password policy link to explanation” thread.
Hey Dean:
You make excellent points. I thought about them as well and was wary to add the link. At the same time, feel it’s important to educate people about the urgency of the matter, if only to reduce the grumbling from users about needing to have such strong passwords. What do you feel is the best means to convey this? Or do you feel it’s beyond the scope of this plugin to do that?
As far as your saying “…and this prompt text are the main things to be worked on…” are you talking about the whole password policy text or just the exterior link? If the whole policy text, what are your ideas for improvement, please?
Thanks,
–Dan
Hi Jim:
Thanks for the update. Glad it wasn’t a problem I caused. 🙂
–Dan
Hi James:
Thanks for the grep output. Nothing in particular pops out at me. What happens if you disable the Your Members plugin and then register a new user?
–Dan
Hi Dean:
Thanks for your persistence. Those systems provide strength indicators in their user interfaces because they don’t actually enforce password strength, so they need some way to nudge users to do the right thing. But the Login Security Solution plugin _requires_ the users to get it right.
While it’d be nice for LSS to provide a UI clue while people are typing, the LSS’ rules are so complex that it’d be unwieldy. LSS permits the use of UTF-8. The upper case / lower case check (with exceptions for alphabets that only have one case) is hard enough to do in PHP, let alone JavaScript. Plus we require that the password doesn’t contain user name, site name, etc. All of this would require a lengthy, complex back and forth via AJAX.
The specific character and length requirements are specified in text below the password fields. (Guess I need to add text mentioning that one’s name and site info can’t be in the password.)
I’d welcome a patch that covers all of this in a clean, effective way. It’d have to account for the fact that with LSS, it’s either a strong password or it’s not; there’s no weak/medium/strong gradation. I guess it’d have to be a check list kind of thing.
Thanks,
–Dan