Last modified: 2007-05-09 16:51:37 UTC
vBulletin allows 5 tries every 15 minutes, and that seems to work nicely (3 times is probably too few). Things to consider: 1) Send an e-mail to the address attached to the account on lockout, with IP details. 2) Send an e-mail to all members of a certain usergroup if the locked-out user is part of one of certain usergroups. E.g., a locked-out sysop/bureaucrat/steward might send an e-mail to all bureaucrats and stewards on the wiki, say, or all checkusers. This can allow blocking and/or further examination of the IP address, and central tracking if a bot tries systematically cracking all sysops' accounts. Possibly we can incorporate a captcha after a few failed attempts to make it harder for bots to just hit the limit repeatedly. If we do so, it should be possible to disable for the few users who have trouble with captchas (e.g., blind users). All of these should be configurable per-usergroup, and possibly as a user preference. Ordinary users shouldn't have to be inconvenienced if they don't want to be, since if they get taken over nothing much will happen except for their reputation being tarnished, which is their problem. (But on wikis with locked-down viewing/editing, users might be restricted as well.) On the other hand, it's nice to allow more paranoid users to protect their identities more closely.
*** Bug 9838 has been marked as a duplicate of this bug. ***
Captcha already present. Lockout is a DoS vector, unacceptable.
Lockout per-IP is not generally a DoS vector, although it could be to some extent in special cases (shared dynamic ISP). What about e-mail to either a centralized place or the user himself? Possibly not worthwhile before bug 9837?
E-mailing -> bug 9838.