Page MenuHomePhabricator

Globally throttle password attempts
Closed, ResolvedPublic


The 5 guesses / 5 minutes throttle is set per wiki,

$throttleKey = wfMemcKey( 'password-throttle', $wgRequest->getIP(), md5( $username ) );

so does ConfirmEdit,

wfMemcKey( 'captcha', 'badlogin', 'ip', $ip );

CentralAuth doesn't do throttling.

I think we should either have a globalthrottle extension, or just make these use a global cache key.

Event Timeline

csteipp assigned this task to Bawolff.
csteipp raised the priority of this task from to Medium.
csteipp updated the task description. (Show Details)
csteipp changed the visibility from "Public (No Login Required)" to "Custom Policy".
csteipp changed the edit policy from "All Users" to "Custom Policy".
csteipp changed Security from None to Software security bug.
csteipp added subscribers: Bawolff, csteipp.

Can this go in normal gerrit patches, or should it be secret patches on bug?

Since we're already using the username, lets just use a global cache key... so s/wfMemcKey/wfGlobalCacheKey/ in those two places?

Yes, i agree, global cache key sounds good.

Patches are merged, so I'm going to mark this as resolved, but make it block T124940 as a reminder the patch should maybe be backported for the various branches next release.

demon changed the visibility from "Custom Policy" to "Public (No Login Required)".May 20 2016, 5:26 PM
demon changed the edit policy from "Custom Policy" to "All Users".
demon changed Security from Software security bug to None.