It is possible for the password of an account on any Wikimedia wiki to be compromised by a brute-force attack as long as the same account name does not exist on test wiki.
Steps that could be taken by an attacker:
- Register the desired account name on test.wikipedia.org
- Visit http://test.wikipedia.org/wiki/Special:MergeAccount and enter their password when prompted.
- Run a bot to conduct a brute force attack by entering various possible passwords in the 'Confirm more accounts' section until they have been told that they have the correct password for any of the accounts listed.
- Use the password that is known to work to log in normally at the relevant login page.
To resolve this problem, a captcha should be added to all password prompts at [[testwiki:Special:MergeAccount]] after an incorrect password is entered, or alternatively the page could be disabled temporarily since it is only there as a test/demo.