Last modified: 2007-05-09 16:51:37 UTC
vBulletin allows 5 tries every 15 minutes, and that seems to work nicely (3
times is probably too few). Things to consider:
1) Send an e-mail to the address attached to the account on lockout, with IP
2) Send an e-mail to all members of a certain usergroup if the locked-out user
is part of one of certain usergroups. E.g., a locked-out
sysop/bureaucrat/steward might send an e-mail to all bureaucrats and stewards on
the wiki, say, or all checkusers. This can allow blocking and/or further
examination of the IP address, and central tracking if a bot tries
systematically cracking all sysops' accounts.
Possibly we can incorporate a captcha after a few failed attempts to make it
harder for bots to just hit the limit repeatedly. If we do so, it should be
possible to disable for the few users who have trouble with captchas (e.g.,
All of these should be configurable per-usergroup, and possibly as a user
preference. Ordinary users shouldn't have to be inconvenienced if they don't
want to be, since if they get taken over nothing much will happen except for
their reputation being tarnished, which is their problem. (But on wikis with
locked-down viewing/editing, users might be restricted as well.) On the other
hand, it's nice to allow more paranoid users to protect their identities more
*** Bug 9838 has been marked as a duplicate of this bug. ***
Captcha already present. Lockout is a DoS vector, unacceptable.
Lockout per-IP is not generally a DoS vector, although it could be to some
extent in special cases (shared dynamic ISP). What about e-mail to either a
centralized place or the user himself? Possibly not worthwhile before bug 9837?
E-mailing -> bug 9838.