Last modified: 2008-07-02 15:01:29 UTC
Currently, if a user enters a wrong password, s/he is required to do a CAPTCHA on the next try, or wait some amount of time. I propose doing it not after one failed attempt, but only after 2 or 3 attempts.
This wouldn't affect security very much, but will make logging on more convenient. Mistyping one's password is a very natural thing, for those who don't memorize their password in their browser.
Besides, I believe this change will greatly decrease the number of captchas processed per day, which can be useful in terms of CPU spent. Also it will improve accessibility to people with poor sight.
It will very slightly make guessing passwords easier.
To have a counter instead of a binary flag, which seems simple.
$wgCaptchaBadLoginAttempts implemented in r36918. This can be set to allow 1 (or more) bad login attempts before triggering the captcha.