Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stop tracking failed login attempts #547

Closed
fjarrett opened this issue May 22, 2014 · 5 comments

Comments

Projects
None yet
6 participants
@fjarrett
Copy link
Contributor

commented May 22, 2014

Yesterday @Japh, @lukecarbis and I had a call to discuss data usage of Stream and how we might be able to improve things.

Japh had gathered some real data from a site using Stream, and to our surprise, Failed Login Attempts accounted for nearly 96% of all records! 46,000 of 48,000 records in just 15 days. Looking at these numbers, it's almost as if Stream is primarily serving as a failed login tracker and just happens to track a few other things too 😄

After a lot of discussion, we came to the conclusion that Stream should stop tracking failed login attempts altogether. Here were the main reasons:

  1. Data storage needs for Stream can be reduced by up to 95% in some cases.
  2. A failed login attempt doesn't write anything to the DB, Stream is capturing something that isn't really a site change. The core purpose of Stream is to show what changes are being made to the DB by logged in users.
  3. Stream isn't doing anything to solve the problem of failed logins, the only thing it does it tell you that they are happening.
  4. There are other plugins, like Brute Protect by @samhotchkiss and team, whose sole purpose is to identify and prevent the problem of brute forced login attempts. Users should be encouraged to use complete login security solutions like this, and Stream can provide logs of what happened after any known breach.
  5. We can offer Failed Login Attempts tracking as a free extension plugin, if people still want that functionality. Think Link Manager.

/cc @shadyvb, @westonruter, @jonathanbardo

@westonruter

This comment has been minimized.

Copy link
Contributor

commented May 22, 2014

👍

@fjarrett fjarrett changed the title Stop tracking failed login attempts Stop tracking failed login attempts, provide as plugin May 22, 2014

@fjarrett fjarrett changed the title Stop tracking failed login attempts, provide as plugin Stop tracking failed login attempts May 22, 2014

@jonathanbardo

This comment has been minimized.

Copy link
Contributor

commented May 22, 2014

I think it's a very good idea! The free plugin approach is a great
alternative for those who will be seeking this feature.

On Thursday, May 22, 2014, Weston Ruter notifications@github.com wrote:

[image: 👍]


Reply to this email directly or view it on GitHubhttps://github.com//issues/547#issuecomment-43901793
.

Jonathan Bardo
Web Developer
[image: X-Team] http://x-team.com/

@samhotchkiss

This comment has been minimized.

Copy link

commented May 22, 2014

Hey Frankie, thanks for looping me in here.

We're rolling out our big 2.0 release to BruteProtect later tonight, we've
been working around the clock on it since January. You can check it out
from http://alpha.bruteprotect.com/ if you're interested. We'd love to
talk to figure out some ways that we can work together.

Frankie, are you guys going to be at WordCamp Chicago?

Sam Hotchkiss :: Principal :: Hotchkiss Consulting Group
122 Front Street, Second Floor, Bath, Maine 04530
P: 207.200.4314 :: Skype: hotchkiss.consulting

On Thu, May 22, 2014 at 1:08 PM, Frankie Jarrett
notifications@github.comwrote:

Yesterday @Japh https://github.com/Japh, @lukecarbishttps://github.com/lukecarbisand I had a call to discuss data usage of Stream and how we might be able
to improve things.

Japh had gathered some real data from a site using Stream, and to our
surprise, Failed Login Attempts accounted for nearly 96% of all records!
46,000 of 48,000 records in just 15 days. Looking at these numbers, it's
almost as if Stream is primarily serving as a failed login tracker and
just happens to track a few other things too [image: 😄]

After a lot of discussion, we came to the conclusion that Stream should
stop tracking failed login attempts altogether. Here were the main reasons:

  1. Data storage needs for Stream can be reduced by up to 95% in some
    cases.
  2. A failed login attempt doesn't write anything to the DB, Stream is
    capturing something that isn't really a site change. The core
    purpose of Stream is to show what changes are being made to the DB by
    logged in users.
  3. Stream doesn't do anything to solve the problem of failed logins,
    the only thing it does it tell you that they are happening.
  4. There are other plugins, like Brute Protecthttps://bruteprotect.com/by
    @samhotchkiss https://github.com/samhotchkiss and team, whose sole
    purpose is to identify and prevent the problem of brute forced login
    attempts.
  5. We can offer Failed Login Attempts tracking as a free extension
    plugin, if people still want that functionality. Think Link Managerhttps://wordpress.org/plugins/link-manager/
    .

/cc @shadyvb https://github.com/shadyvb, @westonruterhttps://github.com/westonruter,
@jonathanbardo https://github.com/jonathanbardo

Reply to this email directly or view it on GitHubhttps://github.com//issues/547
.

@lukecarbis

This comment has been minimized.

Copy link
Contributor

commented May 22, 2014

👍

1 similar comment
@Japh

This comment has been minimized.

Copy link

commented May 22, 2014

👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.