Securing the default login in Drupal

Actually this may be considered a feature request to some. I think if we promote it as is, within it's current state, it would speak louder if we consider others security.

You ported this too jquery? you have got to be kidding me!. I've found another one but this is a gem!! Yes, ... Angel did a very nice piece of magic with this one. I've gotta try this one. What I'd like to know is can we include this or this feature within core?

A feature request unless you look at the majority of other packages and exactly what they are doing!

I think it speaks louder when you can default from the norm and include others security regardless.

I'd really like to know from others what you think. Should this be a feature or a core capability?

Drupal 7 has been in development for how long?, I don't mean to offend truly I don't.. I'm just thinking about the majority of individuals that won't know better. I'm also thinking about the servers that others host for individuals that don't know any better. Think about it!

True to a certain degree but SSL is costly actually if you've ever run a site with a lot of traffic and if you don't block the bots route you'll get duplicate content with SSL on all your external pages.

Ouch ok that hurt. Actually no pet project at all, I just think IMO that would only save everyone a bunch of trouble in the long run.

Then we will just disagree. I can think of at least 10 ways this would add value. Not to mention the number one thing. Show me a site that is using a Drupal 7 and I'll show you how to hack into it.... That's enough right there.

The more I think about this the more it's really started to bother me. And you've closed the request and stated won't fix...

SSL is costly and it has nothing to do with the cost of the certificate. Well actually it does due in part to the strength of the encryption but the cost come in the amount of connections all via SSL. A server with heavy traffic will bottleneck first trying to encrypt the transactions. Here's where another box that the will off load such comes in handy, another story.. .
I'm just talking about the actually password here for a login. We can encrypt this and pass this to the server without SSL and without encrypting the complete page, or any other page. This would almost make a site at least 100% more secure, maybe not fully secure, but for sure... a whole lot more " And add a little promotional point here too!" How many other open source platforms are concerned with users security?

Here's something else to think about... Anyone that has ever hosted a site for a client! What happens if this clients is running in a shared environment, now what happens if one client in this shared environment is compromised, well depending on the environment you could. 1) compromise other sites/databases on the same server or 2) compromise the complete server and everything connected.

The more I think about this issue the more it's really starting to get to me. I can't believe we are on version 7 (starting version 8) and we can't do this yet? I mean what is the point in releasing something THAT YOU KNOW IS INSECURE. Your putting a lot of people at unnecessary risk and because of what? To reach some type of deadline. "WHAT" how long has Drupal 7 been in development? Or is it for other reasons? What to make sure people that get their sites hacked come back and pay someone to fix it?

Again I will wait because this is only one security issue. And if someone has a default Drupal 7 site and would like to know just how vulnerable the site is. Just ask around, You or I could attach any sniffer to the IP address associated with your website and record all transmissions accross it. It's a matter of only waiting until someone logs in and you have their LOGIN AND PASSWORD...

And to who ever closed my ticked!. Please don't close the tickets I have open if they have not been addressed. I understand why it was moved, fine, just please don't cause any further incidents because someone doesn't see things the way you do. You manage your security, I'll take care of mine.

I do not suggest anyone install Drupal 7 on a production server, even Drupal 6 "without" securing it!. You are asking for trouble. I'm going to publish an article about this and see what others think. I think it would be a grave mistake to release "version 7 of Drupal" without addressing this.

You're telling me that encrypting the password and passing it from the browser to the server is insecure?

I don't understand why so many people are against me on this. To constantly say NO, NO, we won't or can't do that..... And I thought at least a couple people here would understand.

Perpetual beta, that's funny. Here I thought you were just trying to be funny, but I understand now.

Heine, your right. There are many other way we could hack a Drupal site. I'm just trying to gain some assistance in securing the one main area that would secure the majority of the site. You are correct there are probably more the a handful of ways into Drupal. Do you really want me and others to post those here?

The thing I don't understand is you are the team leader for the Drupal security team? And why do you think that I can't sniff out the users login and password from a default drupal 7 install.

I think everyone need to take a look at this. You're right I'm not the only one! There are a bunch of others asking for security issues to considered and resolved. Most of those too are being "Closed (Won't Fix)"
http://drupal.org/project/issues/drupal?text=security&status=5&prioritie...

I understand that, and thank you for taking the time to post. You have shed a much broader light on the subject that I truly didn't realize. I honestly couldn't understand why ppl seemed to be getting hostile at the thought, but I believe I understand now. Sorry I'm really still a Drupal newbie I guess. I've been more of a Drupal stalker I guess you could say over the past 5 years, learning and trying different things. I do love Drupal and am addicted so don't ever think I'm putting Drupal down!!! I just see so much more potential in Drupal, I truly do. I mean I've been working with Open Source packages since the dawn of the term, but this package is truly the most flexible that I've ever tried to come to an understand with. See I'm a skeptical about anyone that tell's me that they really know Drupal, and I believe that anyone says that, truly doesn't know Drupal, in otherwords most people don't know where it's come from, how it's evolved, all the different area it's being used, and most of all - "The complexities of the Drupal evolution built upon PHP that has also evolved by leaps and bounds since Drupal's inception. This is in where the loop holes and cavities can multiply and create not only a huge amount of in's and out's to consider but also burden one's inability to harden and close some of those avenues.
I truly am addicted to Drupal, why well the numerous ways every should know of course, but I began to wonder sometimes if this addiction is going to be the end of me... It's funny actually, It's almost as if one man search for significance leads him astray from the holy grail. ;) I'm only kidding of course. It's just that feel so damn overwhelmed sometimes when you truly have to consider that amount of ways a user, person, browser and bot can all travel... Ok maybe I'm just rambling a bit and looking for some answers here. I don't mean to offend anyone truly I don't. I just wish there was a way we could harden the flow of users though a Drupal system. Now granted that it's capabilities make that innumerable I understand, I just wish there was a better way of organizing and approaching this situation a little differently. I'm still looking and if anyone here has felt my pain please, please, share with me and the others, what is working for you..Because I along with quite a few others, would love to know.

oh yea, just a little thought: Wasn't PHP "Personal Home Pages" when Drupal came out?