Yes, there is a lockout after multiple failed login attempts. We will reduce the restrictions on password length. Your math is to the point, but security to the lay person is as much perception as reality. People feel safer with a door having 3 locks than 1, when in fact the weak point is the window. The fact is that few password compromises are the result of brute force attacks. Most are based on social engineering problems such as passwords based on easily determined names, birthdates, etc, or by backdoor methods such as keystroke loggers or other internet borne diseases.
Quote from MR.NBBO: A PC (or string of networked in-line computers), can attempt millions of brute force tries per second. Not if the system you're attempting to crack takes a while to respond. TWS seems to take between 1 and 2 seconds, so I used 1 second. Not to mention that, even if you could get a million slave machines, it's unlikely that IB's system could handle that simultaneous load, at least without someone noticing. BTW, a common, simple tactic to improve security is to increase the cycle time for an authorization to fail. This helps make brute-force attacks impractical, even for poorly-chosen passwords. I'd venture that 80%+ of standard 8 character passwords take only seconds, to several days to crack. Again, only if you could run millions per second, which you can't. The real problem, as we all understand, is that users choose insecure passwords. Making the max password length longer does nothing to improve that, since those people will not change their ways. People who know better already have enough namespace at 8 characters.
We're all on the same page here. The problem is that "the people that know better", aren't that many. Yes, a longer password set(if used) does indeed take an exponentially greater time to crack, even if it's not the best password--that's what helps create the safety for the poorly chosen passwords. People are indeed the weak link. Most brokers and banks support 15-25 character passwords. This is a standard, not an unfounded request. That said, IB's security is second to none, and it's greatly appreciated.
Add a setting: "SMART only for API orders for US stocks" To make sure one doesn't accidentally incur the non-SMART routing surcharge and/or cancel fees because of a software bug in one's app. Making a mistake like this just for a single day could add up to a significant amount of money. I almost (fortunately) did it this morning.
Improve performance for generating audit trails in TWS. The performance degradation is very noticeable on a slower machine with only a few hundred orders. I suspect it currently forces (as much as possible) immediate writes to the audit file, which is understandable if you want the highest reliability, but maybe you could make a switch available to allow a more "lazy" approach to reduce overhead.
make the charts to auto-refresh when the session begins: during the first 30sec after the bell major moves take place on stocks and to refresh them 1 by 1 because they are stuck with previous day fractals is a waste of time and obviously opportunities.
could IB add percentage limit and/or stop order for stock, $1 stop/limit is too big for $2 stock and too small for a $400 stock, but IB now can only put dollor amount as stop/limit. thanks
There is sound manager in IB TWS which can set to play default or custom sounds for order fills. Is it possible to add this sound alert fuction to connection status so that when TWS is disconnected with IB server, it can play a sound?
These are not improvments but what I consider inconvenience. TWS will not shut down via file>exit. You must use ctl>alt>delete to shut it down. Also it can't remember under restore>settings that you had charts open the day before. Also the innocuous little tips window opens up everytime tws is started. Also the charts should auto refresh upon start of the trading day so you don't have to click on each seperate chart to refresh. This may not be a TWS problem and maybe a video driver problem, but when opening new charts, sometimes they go offscreen never to be seeen again. I sent an email to support several weeks ago but no response.