https://bugzilla.wikimedia.org/show_bug.cgi?id=61101

--- Comment #9 from Jeff Green <jgr...@wikimedia.org> ---
Regarding PasswordMaxLoginFailed I squinted at code and config and the feature
does not appear to pay any attention to client host. I'm not sure whether
that's good or bad--if it were host-specific it would be pretty easy to bypass.

But whereas lockouts are usually time-based (i.e. 3 failed attempts gets you
locked out for 10 minutes) I don't see anything in the code having to do with
timers or auto unlock. I could be missing something.

If this is in fact the case, and lockout requires manual intervention by an
other admin, I would suggest we set it to ~10. I understand the DOS concern but
IMO it's an acceptable tradeoff for not leaving ourselves wide open to brute
force attacks. We can easily disable the lockout feature if it becomes a
problem.

Password length--6 is way too short, especially without other features to slow
down brute force attacks.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to