Böf

My feedback

  1. 164 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    13 comments  ·  Feature Suggestions » Mail  ·  Flag idea as inappropriate…  ·  Admin →
    Böf commented  · 

    Disclaimers are common practice but completely useless. Try Yahoogle and find out why...

    I explained this to several customers but they still want it (legal departments not doing their homework properly). And it looks sooo fancy having a disclaimer yadada...

    Sorry that I can't vote for this idea but I do understand the request. Good luck!

  2. 359 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    44 comments  ·  Feature Suggestions » Security  ·  Flag idea as inappropriate…  ·  Admin →

    We have serious doubts this function can really increase server security:
    1) Plesk has built-in protection against brute-force on login – it will lock the login form. So no one can try multiple attempts
    2) Arbitrary login name adds very little guess-complexity to a proper password. If you have concerns for your login brute-forced – add another 5-7 characters into your password and feel safe.

    As changed login name is still very likely to be some sort of vocabulary word or derived from your other account name – this function would only give a false sense of better security. Your security strength is in complex password, not in a complex login name. If you have one good password, you don’t need to treat login as your “second password” – one good password is enough.

    As for concerns that default password requirement is set in “weak”, that fail2ban module is not…

    Böf commented  · 

    Just have a look at the logs that show how the lower life forms are tying to enter your server: Username "admin" (or root depending on the service) is their way to go. I wonder why "admin" is even allowed by Plesk? Now "all there is to it" is finding a password for "admin". Not allowing "admin" will reduce the chance of entering the server with brute force by a zillion times.

    I would agree that "real" system admins would tackle this themselves. But Plesk could help educate people when needed, right? Why is the default password strength set to "weak"? Let me guess: "admin" + "1234567"? (I sure hope those despicable life forms don't read this comment :-) )

    Fail2Ban is not installed by default (and even if installed later it is not activated by default). And in a way this feature is an indispensable but costly/active substitute for a password-like username.

    Not using "Admin" is a great free/passive safety improvement and a giant leap backwards for those pesky brute-force life forms.

    O, and on the help page of this new feature ;-) you might as well add that it is best not to use your real name, your domainname, or "root" either. Even better: Treat it as a second password.

    Böf supported this idea  · 

Feedback and Knowledge Base