The 4 digit password takes only 10000 (on average 5000) tries to crack.
So you can reset a password and brute force in very few hours.
More digits should be added. More than 10 when it is digits I would say.
It is not a PIN code on a credit card where you only have 3 tries. You can continue brute forcing as long as you want.
Sounds like something we'd want BlackListPlugin
to handle (template based login).
I suggest this is not urgent to the release?
I see the problem with regards to apache basic auth, though, a few more digits wouldn't hurt there. - One good reason not to run basic auth
You suggest this is not urgent???
I can reset the admins password and login with an hour. That is serious. Security cannot be compromized with. TWiki cannot survive more security scandals.
We cannot rely on a plugin to handle the basic security. And for example I do not use Template login and should not be forced to.
It must be the easiest thing in the world to add more digits to the generated password.
I changed back to engine and not BlacklistPlugin
OK, this breaks string freeze, though. But it seems Antonio committed some errors in the last run, this may make it anyway.
This only raises time taken to do a hack, administrators insisting on basic auth should at least use something like http://search.cpan.org/~swampfox/Apache-AuthChecker-1.00/AuthChecker.pm
Perhaps we should promote that in docs?
The password need not be numeric.