Last modified: 2007-05-09 16:51:37 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T11836, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 9836 - React nastily on multiple failed login attempts (throttle/lockout, captcha)
React nastily on multiple failed login attempts (throttle/lockout, captcha)
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
unspecified
All All
: Normal enhancement (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks: 9816
  Show dependency treegraph
 
Reported: 2007-05-08 00:45 UTC by Aryeh Gregor (not reading bugmail, please e-mail directly)
Modified: 2007-05-09 16:51 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Aryeh Gregor (not reading bugmail, please e-mail directly) 2007-05-08 00:45:19 UTC
vBulletin allows 5 tries every 15 minutes, and that seems to work nicely (3
times is probably too few).  Things to consider:

1) Send an e-mail to the address attached to the account on lockout, with IP
details.

2) Send an e-mail to all members of a certain usergroup if the locked-out user
is part of one of certain usergroups.  E.g., a locked-out
sysop/bureaucrat/steward might send an e-mail to all bureaucrats and stewards on
the wiki, say, or all checkusers.  This can allow blocking and/or further
examination of the IP address, and central tracking if a bot tries
systematically cracking all sysops' accounts.

Possibly we can incorporate a captcha after a few failed attempts to make it
harder for bots to just hit the limit repeatedly.  If we do so, it should be
possible to disable for the few users who have trouble with captchas (e.g.,
blind users).

All of these should be configurable per-usergroup, and possibly as a user
preference.  Ordinary users shouldn't have to be inconvenienced if they don't
want to be, since if they get taken over nothing much will happen except for
their reputation being tarnished, which is their problem.  (But on wikis with
locked-down viewing/editing, users might be restricted as well.)  On the other
hand, it's nice to allow more paranoid users to protect their identities more
closely.
Comment 1 Titoxd 2007-05-08 02:54:27 UTC
*** Bug 9838 has been marked as a duplicate of this bug. ***
Comment 2 Brion Vibber 2007-05-08 15:49:46 UTC
Captcha already present. Lockout is a DoS vector, unacceptable.
Comment 3 Aryeh Gregor (not reading bugmail, please e-mail directly) 2007-05-08 16:38:11 UTC
Lockout per-IP is not generally a DoS vector, although it could be to some
extent in special cases (shared dynamic ISP).  What about e-mail to either a
centralized place or the user himself?  Possibly not worthwhile before bug 9837?
Comment 4 Aryeh Gregor (not reading bugmail, please e-mail directly) 2007-05-09 16:51:37 UTC
E-mailing -> bug 9838.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links