Last modified: 2008-08-08 11:50:27 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 12370 - Password throttling please?
Password throttling please?
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
All All
: Normal enhancement with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
Depends on:
Blocks: 9816
  Show dependency treegraph
Reported: 2007-12-21 14:39 UTC by FT2
Modified: 2008-08-08 11:50 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Adds 20 second time limit between password attempts. (3.05 KB, patch)
2008-06-28 02:16 UTC, Tyler Romeo

Description FT2 2007-12-21 14:39:35 UTC
I know this has been discussed before, but I can't see any resolution, nor any strong objections. 

Is any password throttling regime in place (assuming captcha is satisfied)? If not, can any be, even if simple?
Comment 1 Brion Vibber 2007-12-21 17:25:15 UTC
Adding tracking bug.
Comment 2 FT2 2008-01-08 22:25:38 UTC
An entry just appeared on oversight-l regarding an article that indicates users (evidently) brute-forced passwords, including one administrator's. I haven't tested them to see if they're valid, but they probably are, they look plausible.

Oversighted around 22.00 January 8 2008.

Probably a lot of it goes on, but even a simple 20 second delay after a failed login would be good.
Comment 3 Tyler Romeo 2008-06-28 02:16:45 UTC
Created attachment 5030 [details]
Adds 20 second time limit between password attempts.

This patch does not allow a user to attempt login under a certain username if the last failed login attempt was less than or equal to twenty seconds ago, or whatever is defined by $wgPasswordThrottleLimit. Instead, the user is given the throttle-blocked message. There is one bug I will admit with this patch: It does not discriminate which user made the failed login attempt, so if one person makes a failed login attempt, and another separate IP makes another attempt shortly after, they will not be logged in.

Then again, this might be useful. There are a couple of situations in which this would happen: person 1 is the actual user and person 2 is not; person 2 is not the real user while person 1 is; both users are not the actual user. In the first case, person 1 will not noticed much, they will just wait twenty seconds, while person 2 is blocked for twenty seconds, which should not matter since the person is not the real user anyway. In the second situation, person 1 is the one who is surprised by a "wait twenty seconds" message, but this might be helpful because it tells the real user than somebody tried to log in to their account. In the last situation, it does not matter at all since neither user is the real user and neither should be logging in.

The way I see it, this patch is good. If anybody wants to change it to make it discriminate by IP, go ahead. Either way, this is something good to at least work off of.
Comment 4 Andrew Garrett 2008-08-08 11:50:27 UTC
Fixed in r38886 (did not use supplied patch).

Note You need to log in before you can comment on or make changes to this bug.