Nodered hacked by adding invisible nodes

Not easily as this is part of the node-red admin init "script" that can only run after install

Yes - also true of your gmail account, PayPal, X, instagram etc if you don't set a decent password. The init script does check for a minimum length password but yes I will change the PR to make that longer (8 -> 16)

things like this - or the suggestion to make each login take at least 2-3 seconds (which then wouldn't need a call to action IMHO) really need to be in the core - as they would be useful for all users.

We also saw this - How to 'whitelist' IP address's that can access Node RED - which also looks useful. There were lots of tweaks suggested - is there a consensus on the "best" version ?