--- Comment #9 from Jeff Green <> ---
Regarding PasswordMaxLoginFailed I squinted at code and config and the feature
does not appear to pay any attention to client host. I'm not sure whether
that's good or bad--if it were host-specific it would be pretty easy to bypass.

But whereas lockouts are usually time-based (i.e. 3 failed attempts gets you
locked out for 10 minutes) I don't see anything in the code having to do with
timers or auto unlock. I could be missing something.

If this is in fact the case, and lockout requires manual intervention by an
other admin, I would suggest we set it to ~10. I understand the DOS concern but
IMO it's an acceptable tradeoff for not leaving ourselves wide open to brute
force attacks. We can easily disable the lockout feature if it becomes a

Password length--6 is way too short, especially without other features to slow
down brute force attacks.

You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
Wikibugs-l mailing list

Reply via email to