Globally throttle password attempts
Closed, ResolvedPublic

Description

The 5 guesses / 5 minutes throttle is set per wiki,

$throttleKey = wfMemcKey( 'password-throttle', $wgRequest->getIP(), md5( $username ) );

so does ConfirmEdit,

wfMemcKey( 'captcha', 'badlogin', 'ip', $ip );

CentralAuth doesn't do throttling.

I think we should either have a globalthrottle extension, or just make these use a global cache key.

csteipp created this task.Feb 11 2016, 10:28 PM
csteipp updated the task description. (Show Details)
csteipp raised the priority of this task from to Normal.
csteipp assigned this task to Bawolff.
csteipp added projects: Security, Security-Team.
csteipp changed the visibility from "Public (No Login Required)" to "Custom Policy".
csteipp changed the edit policy from "All Users" to "Custom Policy".
csteipp changed Security from None to Software security bug.
csteipp added subscribers: Bawolff, csteipp.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 11 2016, 10:28 PM

Can this go in normal gerrit patches, or should it be secret patches on bug?

Since we're already using the username, lets just use a global cache key... so s/wfMemcKey/wfGlobalCacheKey/ in those two places?

Yes, i agree, global cache key sounds good.

Bawolff closed this task as Resolved.Feb 16 2016, 10:02 PM

Patches are merged, so I'm going to mark this as resolved, but make it block T124940 as a reminder the patch should maybe be backported for the various branches next release.

demon changed the visibility from "Custom Policy" to "Public (No Login Required)".May 20 2016, 5:26 PM
demon changed the edit policy from "Custom Policy" to "All Users".
demon changed Security from Software security bug to None.
Restricted Application added a subscriber: Malyacko. · View Herald TranscriptMay 20 2016, 5:26 PM