Stop tracking failed login attempts

[fjarrett]

Yesterday @Japh, @lukecarbis and I had a call to discuss data usage of Stream and how we might be able to improve things.

Japh had gathered some real data from a site using Stream, and to our surprise, Failed Login Attempts accounted for nearly 96% of all records! 46,000 of 48,000 records in just 15 days. Looking at these numbers, it's almost as if Stream is primarily serving as a failed login tracker and just happens to track a few other things too 😄

After a lot of discussion, we came to the conclusion that Stream should stop tracking failed login attempts altogether. Here were the main reasons:

1. Data storage needs for Stream can be reduced by up to 95% in some cases.
2. A failed login attempt doesn't write anything to the DB, Stream is capturing something that isn't really a site change. The core purpose of Stream is to show what changes are being made to the DB by logged in users.
3. Stream isn't doing anything to solve the problem of failed logins, the only thing it does it tell you that they are happening.
4. There are other plugins, like Brute Protect by @samhotchkiss and team, whose sole purpose is to identify and prevent the problem of brute forced login attempts. Users should be encouraged to use complete login security solutions like this, and Stream can provide logs of what happened after any known breach.
5. We can offer Failed Login Attempts tracking as a free extension plugin, if people still want that functionality. Think Link Manager.

/cc @shadyvb, @westonruter, @jonathanbardo

[westonruter]

👍

[jonathanbardo]

I think it's a very good idea! The free plugin approach is a great
alternative for those who will be seeking this feature.

On Thursday, May 22, 2014, Weston Ruter notifications@github.com wrote:

[image: 👍]

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/547#issuecomment-43901793
.

Jonathan Bardo
Web Developer
[image: X-Team] http://x-team.com/

[samhotchkiss]

Hey Frankie, thanks for looping me in here.

We're rolling out our big 2.0 release to BruteProtect later tonight, we've
been working around the clock on it since January. You can check it out
from http://alpha.bruteprotect.com/ if you're interested. We'd love to
talk to figure out some ways that we can work together.

Frankie, are you guys going to be at WordCamp Chicago?

Sam Hotchkiss :: Principal :: Hotchkiss Consulting Group
122 Front Street, Second Floor, Bath, Maine 04530
P: 207.200.4314 :: Skype: hotchkiss.consulting

On Thu, May 22, 2014 at 1:08 PM, Frankie Jarrett
notifications@github.comwrote:

Yesterday @Japh https://github.com/Japh, @lukecarbishttps://github.com/lukecarbisand I had a call to discuss data usage of Stream and how we might be able
to improve things.

Japh had gathered some real data from a site using Stream, and to our
surprise, Failed Login Attempts accounted for nearly 96% of all records!
46,000 of 48,000 records in just 15 days. Looking at these numbers, it's
almost as if Stream is primarily serving as a failed login tracker and
just happens to track a few other things too [image: 😄]

After a lot of discussion, we came to the conclusion that Stream should
stop tracking failed login attempts altogether. Here were the main reasons:

1. Data storage needs for Stream can be reduced by up to 95% in some
   cases.
2. A failed login attempt doesn't write anything to the DB, Stream is
   capturing something that isn't really a site change. The core
   purpose of Stream is to show what changes are being made to the DB by
   logged in users.
3. Stream doesn't do anything to solve the problem of failed logins,
   the only thing it does it tell you that they are happening.
4. There are other plugins, like Brute Protecthttps://bruteprotect.com/by
   @samhotchkiss https://github.com/samhotchkiss and team, whose sole
   purpose is to identify and prevent the problem of brute forced login
   attempts.
5. We can offer Failed Login Attempts tracking as a free extension
   plugin, if people still want that functionality. Think Link Managerhttps://wordpress.org/plugins/link-manager/
   .

/cc @shadyvb https://github.com/shadyvb, @westonruterhttps://github.com/westonruter,
@jonathanbardo https://github.com/jonathanbardo

Reply to this email directly or view it on GitHubhttps://github.com//issues/547
.

[lukecarbis]

👍

[Japh]

👍