Limit Login Attempts < 1.7.1 - Auth Cookies Brute Force Bypass

From the changelog of the plugin: “Auth cookies” are special cookies set at login that authenticating you to the system. It is how WordPress “remembers” that you are logged in between page loads. During lockout these are supposed to be cleared, but a change in 1.6.2 broke this. It allowed an attacker to keep trying to break these cookies during a lockout. Lockout of normal password login attempts still worked as it should, and it appears that all “auth cookie” attempts would keep getting logged. In theory the “auth cookie” is quite resistant to brute force attack. It contains a cryptographic hash of the user password, and the difficulty to break it is not based on the password strength but instead on the cryptographic operations used and the length of the hash value. In theory it should take many many years to break this hash. As theory and practice does not always agree it is still a good idea to have working lockouts of any such attempts.