That Guy

My feedback

  1. 366 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    44 comments  ·  Feature Suggestions » Security  ·  Flag idea as inappropriate…  ·  Admin →

    We have serious doubts this function can really increase server security:
    1) Plesk has built-in protection against brute-force on login – it will lock the login form. So no one can try multiple attempts
    2) Arbitrary login name adds very little guess-complexity to a proper password. If you have concerns for your login brute-forced – add another 5-7 characters into your password and feel safe.

    As changed login name is still very likely to be some sort of vocabulary word or derived from your other account name – this function would only give a false sense of better security. Your security strength is in complex password, not in a complex login name. If you have one good password, you don’t need to treat login as your “second password” – one good password is enough.

    As for concerns that default password requirement is set in “weak”, that fail2ban module is not…

    That Guy supported this idea  · 
    That Guy commented  · 

    Quite shocking to see such a ignorant response from management of a company that I'm supposed to trust with my and my customers valuable data.

    Your argument that it gives a "false sense of security" has no merit. The username plays a critical role in user authentication. With this being so predictable that's 50% of the guess work done, allowing an attack(er) to focus on a single element of the system to attack. Fail2Ban works on the attack(er)'s IP Address. I can quickly and easily get new public IP addresses and set up a brute force attack.

    What security risk does this impose?

    I fail to see how this would be difficult to implement. It looks like Plesk is just full of lazy developers with little regard to security of their product.

    Furthermore Plesk only notifies that a user with "the same username" is logged in. So how am I supposed to know who's alias admin account could be compromised?

    Is it going to take an attack on Plesk panels for you guys to get off your lazy aspirations and implement this? Because I'm willing to take it there, try me.

  2. 85 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    29 comments  ·  Feature Suggestions » Plesk (general)  ·  Flag idea as inappropriate…  ·  Admin →
    That Guy supported this idea  · 

Feedback and Knowledge Base