Page MenuHomePhabricator

Better limitation on number of password guesses people can make
Closed, ResolvedPublic

Description

Currently we have

$wgPasswordAttemptThrottle = array( 'count' => 5, 'seconds' => 300 );

Which means people can only make 5 attempts in a 5 minute time span for a given (IP, user-account) pair.

We have to be careful about potential DOS attacks, but I think we should also have additional limits

I think in addition to the short term limit, we should also have a long term limit. long term limits are much less likely to accidentally catch a legit user, and much more likely to catch an attacker.

For example, I think we should also have a limit of 150 attempts per every 48 hours (for the IP, user-account tuple). Someone forgetting their password could conceivably, make more than 5 attempts in 5 minutes and accidentially lock themselves out, but it seems very unlikely anyone would legitimately make 150 incorrect guesses without a single correct guess in between.

I also think we should have limits for guesses based solely on the account (and not taking the source IP into consideration). Its reasonable to assume an attacker has a botnet at their disposal. Here we have to be careful, as this is also an easy DOS to lock someone out of their account. I think a limit of 100 attempts per every 10 minutes would be reasonable.

For limits based solely on IP (not taking targeted account into consideration), its harder to know what to do. There's a lot more potential for false positives (when many people share the same IP). Currently we show a CAPTCHA if there's been 3 fails in the last five minutes. That might be the best we can do. Maybe we could do something like, calculate the highest number of logins we get across the entire site in a five minute interval, double that number, and if a single IP exceeds that, block logins from that IP. At least that would slow down an attacker who doesn't care which account they compromise, as long as they compromise 1.

Event Timeline

Bawolff created this task.Dec 22 2015, 12:37 PM
Bawolff raised the priority of this task from to Normal.
Bawolff updated the task description. (Show Details)
Bawolff added projects: Security-Team, Security.
Bawolff added subscribers: StudiesWorld, Bawolff, Aklapper.

Also, its been suggested on the RFC to look at IPs the user has previously logged in from, and have more restrictive limits if the user has never logged in from the IP in question previously.

Restricted Application added a subscriber: Luke081515. · View Herald TranscriptDec 22 2015, 10:01 PM
Liuxinyu970226 added a subscriber: Liuxinyu970226.
Bawolff claimed this task.Dec 29 2015, 10:28 PM

Change 270669 had a related patch set uploaded (by Brian Wolff):
Allow more fine-grained throttling of login attempts

https://gerrit.wikimedia.org/r/270669

Also, its been suggested on the RFC to look at IPs the user has previously logged in from, and have more restrictive limits if the user has never logged in from the IP in question previously.

Which RfC?

Change 270669 merged by jenkins-bot:
Allow more fine-grained throttling of login attempts

https://gerrit.wikimedia.org/r/270669

Restricted Application added a subscriber: Malyacko. · View Herald TranscriptFeb 26 2016, 10:40 PM

Change 274036 had a related patch set uploaded (by Brian Wolff):
Show captcha if a specific user account has many failed login attempts

https://gerrit.wikimedia.org/r/274036

Restricted Application added a subscriber: Florian. · View Herald TranscriptMar 3 2016, 4:37 PM

Change 274036 merged by jenkins-bot:
Show captcha if a specific user account has many failed login attempts

https://gerrit.wikimedia.org/r/274036

Bawolff closed this task as Resolved.Jun 9 2016, 6:39 PM

Guess this is resolved. Although we never did do the non-IP specific limit (But we do have a non-IP specific captcha trigger)

Change 321334 had a related patch set uploaded (by Nemo bis):
Limit the number of password attempts performed from each IP

https://gerrit.wikimedia.org/r/321334

I'm probably missing something big and obvious, but AFAICT the DOS risk is no good reason to stay without a per-IP limit, for the reasons described in https://www.mediawiki.org/wiki/Requests_for_comment/Passwords#Threats .

By the way, is there a task to make the IP address comparison more lenient for IPv6 (e.g. establishing that every address in a /112 is the same for the purposes of blocks etc.)?

sbassett moved this task from Backlog to Done on the Security-Team board.Jun 11 2019, 7:08 PM