Page MenuHomePhabricator

Password throttling please?
Closed, ResolvedPublic



I know this has been discussed before, but I can't see any resolution, nor any strong objections.

Is any password throttling regime in place (assuming captcha is satisfied)? If not, can any be, even if simple?

Version: unspecified
Severity: enhancement



Related Objects

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 9:58 PM
bzimport set Reference to bz12370.
bzimport added a subscriber: Unknown Object (MLST). wrote:

An entry just appeared on oversight-l regarding an article that indicates users (evidently) brute-forced passwords, including one administrator's. I haven't tested them to see if they're valid, but they probably are, they look plausible.

Oversighted around 22.00 January 8 2008.

Probably a lot of it goes on, but even a simple 20 second delay after a failed login would be good.

Created attachment 5030
Adds 20 second time limit between password attempts.

This patch does not allow a user to attempt login under a certain username if the last failed login attempt was less than or equal to twenty seconds ago, or whatever is defined by $wgPasswordThrottleLimit. Instead, the user is given the throttle-blocked message. There is one bug I will admit with this patch: It does not discriminate which user made the failed login attempt, so if one person makes a failed login attempt, and another separate IP makes another attempt shortly after, they will not be logged in.

Then again, this might be useful. There are a couple of situations in which this would happen: person 1 is the actual user and person 2 is not; person 2 is not the real user while person 1 is; both users are not the actual user. In the first case, person 1 will not noticed much, they will just wait twenty seconds, while person 2 is blocked for twenty seconds, which should not matter since the person is not the real user anyway. In the second situation, person 1 is the one who is surprised by a "wait twenty seconds" message, but this might be helpful because it tells the real user than somebody tried to log in to their account. In the last situation, it does not matter at all since neither user is the real user and neither should be logging in.

The way I see it, this patch is good. If anybody wants to change it to make it discriminate by IP, go ahead. Either way, this is something good to at least work off of.


Fixed in r38886 (did not use supplied patch).