Need help? Check out our Support site, then


WordPress.com Forums » Ideas

Password-protected pages and posts are not very protected!!

  1. alicealiceme
    Member

    Dear WP.com,
    I´ve been looking through "Support" and "Forum" and this seems to be an issue that concerns many bloggers.

    I came to realize that when i write password-protected pages or posts, the browser of the person opening the protected page automatically saves the password, even when the person logs-out of WP. So no matter which other WP user opens my blog from that browser, is automatically granted of an access I didnt give him.

    It obviously just doesn´t make any sense. It is about time WP finds a solution. I would understand, and I would find it useful, if the USER didn´t need to type in the password after the first time. So the password would be saved not from the user´s browser, but from the user´s account. THAT would make sense.

    So when WP writes:

    "WordPress will prompt you for the password on your initial visit to a protected post. After entering the password that first time, WordPress will securely store the password with the browser you entered it with so you won’t have to enter it again."

    he also knows it´s a lot of BS. WP should also write: "but pay attention that the password will remain available for ALL the users entering your protected pages from that same browser"...

    So please dear WP,
    finde a solution for this non-sense.

    Thank you!

  2. thesacredpath
    Staff

    The password is not saved on the person's computer. There is a cookie that is set and that is read by wordpress and they see that this person had entered the password, so it shows them the post.

    I agree that this needs to be looked at and possibly a time limit put on the access or something.

  3. alicealiceme
    Member

    Thank you for your quick answer.

    I see what you mean, but the problem is that WP doesn´t actually see that this "person" has entered the password, but rather that the "browser" has done it... The problem is, obviously, that different users can enter the blog through the same browser.

    I think rather than a time limit it should be a "user" limit, if you know what i mean... Every time you sign out of your WP account, the password is canceled and next time you will need to type it in again. In a perfect world, WP would recognize that that user already knows the password and simply don´t ask for it again, but hey, maybe I ask too much ;)

    Anyways I really think this is a failure in WP privacy policy and that´s why I strongly believe they should work on it...

  4. thesacredpath
    Staff

    No, what wordpress sees is that the whoever entered the password correctly once from the information it gets from the cookie. There is no way to tell if an actual person typed in the password, or if it was a script, or even a chimpanzee. WordPress cannot "look" has no camera to see how the password was entered, just as they have no way of telling that YOU are the one that typed in the username and password to get into your account here.

    Each computer is a single entity as far as the web goes because the only identifying things that wordpress has to go off of is the IP address and possibly the MAC address for the computer. The IP address might not ever change if the computer is on a network.

    This is far more complex to accomplish than you realize.

  5. thesacredpath
    Staff

    One more thing: Password protecting pages and posts is NEVER going to be a high level of security because all it takes is someone posting the password on twitter or facebook or Google + and your protection is dead.

    If you want more control, set up a second blog and put the private stuff on that, set that site to private and then have people sign up for a wordpress.com username and password and invite them to that blog. That still isn't totally secure though if they happen to do the "remember me" when they signed in. Anyone getting on that same computer would then still be able to get into that site since the person has saved the username and password to their computer/browser.

    Bottom line: Security on the internet is a pipe dream. You do the best you can to protect your login information and keep people off of your computer and log out of your computer if you leave it for any length of time.

  6. alicealiceme
    Member

    Yeah, I hear you.

    I just wanted to point out the problem due to his nonsense. Then there is just one last thing I would appreciate from WP: warn the bloggers about this little inconvenient. That can´t be so complex, right?

    Thanks again.

  7. thesacredpath
    Staff

    I think they could make things better, but I'm not sure what the final result would be. Perhaps they will see this thread and take it under advisement and come up with something. Or, perhaps they won't. No one ever knows what they are going to do.

    And you are welcome.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags