--- Comment #9 from Jeff Green <jgr...@wikimedia.org> ---
Regarding PasswordMaxLoginFailed I squinted at code and config and the feature
does not appear to pay any attention to client host. I'm not sure whether
that's good or bad--if it were host-specific it would be pretty easy to bypass.
But whereas lockouts are usually time-based (i.e. 3 failed attempts gets you
locked out for 10 minutes) I don't see anything in the code having to do with
timers or auto unlock. I could be missing something.
If this is in fact the case, and lockout requires manual intervention by an
other admin, I would suggest we set it to ~10. I understand the DOS concern but
IMO it's an acceptable tradeoff for not leaving ourselves wide open to brute
force attacks. We can easily disable the lockout feature if it becomes a
Password length--6 is way too short, especially without other features to slow
down brute force attacks.
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
Wikibugs-l mailing list