https://bugzilla.wikimedia.org/show_bug.cgi?id=61101
--- Comment #9 from Jeff Green <[email protected]> --- Regarding PasswordMaxLoginFailed I squinted at code and config and the feature does not appear to pay any attention to client host. I'm not sure whether that's good or bad--if it were host-specific it would be pretty easy to bypass. But whereas lockouts are usually time-based (i.e. 3 failed attempts gets you locked out for 10 minutes) I don't see anything in the code having to do with timers or auto unlock. I could be missing something. If this is in fact the case, and lockout requires manual intervention by an other admin, I would suggest we set it to ~10. I understand the DOS concern but IMO it's an acceptable tradeoff for not leaving ourselves wide open to brute force attacks. We can easily disable the lockout feature if it becomes a problem. Password length--6 is way too short, especially without other features to slow down brute force attacks. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
