Last modified: 2008-08-08 11:50:27 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T14370, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 12370 - Password throttling please?
Password throttling please?
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
unspecified
All All
: Normal enhancement with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks: 9816
  Show dependency treegraph
 
Reported: 2007-12-21 14:39 UTC by FT2
Modified: 2008-08-08 11:50 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments
Adds 20 second time limit between password attempts. (3.05 KB, patch)
2008-06-28 02:16 UTC, Tyler Romeo
Details

Description FT2 2007-12-21 14:39:35 UTC
I know this has been discussed before, but I can't see any resolution, nor any strong objections. 

Is any password throttling regime in place (assuming captcha is satisfied)? If not, can any be, even if simple?
Comment 1 Brion Vibber 2007-12-21 17:25:15 UTC
Adding tracking bug.
Comment 2 FT2 2008-01-08 22:25:38 UTC
An entry just appeared on oversight-l regarding an article that indicates users (evidently) brute-forced passwords, including one administrator's. I haven't tested them to see if they're valid, but they probably are, they look plausible.

Oversighted around 22.00 January 8 2008.

Probably a lot of it goes on, but even a simple 20 second delay after a failed login would be good.
Comment 3 Tyler Romeo 2008-06-28 02:16:45 UTC
Created attachment 5030 [details]
Adds 20 second time limit between password attempts.

This patch does not allow a user to attempt login under a certain username if the last failed login attempt was less than or equal to twenty seconds ago, or whatever is defined by $wgPasswordThrottleLimit. Instead, the user is given the throttle-blocked message. There is one bug I will admit with this patch: It does not discriminate which user made the failed login attempt, so if one person makes a failed login attempt, and another separate IP makes another attempt shortly after, they will not be logged in.

Then again, this might be useful. There are a couple of situations in which this would happen: person 1 is the actual user and person 2 is not; person 2 is not the real user while person 1 is; both users are not the actual user. In the first case, person 1 will not noticed much, they will just wait twenty seconds, while person 2 is blocked for twenty seconds, which should not matter since the person is not the real user anyway. In the second situation, person 1 is the one who is surprised by a "wait twenty seconds" message, but this might be helpful because it tells the real user than somebody tried to log in to their account. In the last situation, it does not matter at all since neither user is the real user and neither should be logging in.

The way I see it, this patch is good. If anybody wants to change it to make it discriminate by IP, go ahead. Either way, this is something good to at least work off of.
Comment 4 Andrew Garrett 2008-08-08 11:50:27 UTC
Fixed in r38886 (did not use supplied patch).

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links