https://bugzilla.wikimedia.org/show_bug.cgi?id=25925
--- Comment #25 from Chris Steipp <[email protected]> --- I'll add some non-admin attack scenarios: * With our rate limits what they are, you can actually brute force single-character passwords (15-30 mins each, before you optimize for user bias in choosing the single digit) faster than the creation rate limits (4-6/day for most wikis). So spammer wants some accounts? * Editors get in an edit dispute, one editor brute forces the other's login, vandalizes, gets the other person blocked. One proposal I'll make is to remove the check that the password meets the minimum length on login, and enforce it on account creation and password change. That (I think, although I haven't traced all the code) would let us raise it for new accounts without locking out the old ones. Daniel and Tyler were working on a password backend rework last summer, that I'm really sorry I missed pushing internally. Both, iirc, prompted for a password change on login if the user's group membership required more complexity, which is the right way to go in the long run, imo. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
