https://bugzilla.wikimedia.org/show_bug.cgi?id=40496
Carl Austin Bennett <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #5 from Carl Austin Bennett <[email protected]> --- It's not just a question of limiting the number of captchas that a single user can harvest... there needs to be a limit on the number of failed attempts. Handing them one CAPTCHA and letting them make 4096 guesses at it won't help. The $wgCaptchaBadLoginAttempts variable actually isn't intended to limit the number of failed CAPTCHA attempts. It's intended to limit the number of bad password attempts on an existing account before subsequent log in attempts require both a CAPTCHA and password be supplied. As such, a bot attempting to create 4096 shiny new accounts against Assira by submitting a random 12-bit answer "dog, cat, dog, dog, dog, cat, dog, dog, dog, cat, dog, dog" will get one new account and 4095 errors. If after 'n' consecutive bad CAPTCHA attempts the offending 'bot were simply http://en.uncyclopedia.co/wiki/Banned_from_the_Internet there would be no 4096th attempt to get past Assira. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
