Right now temporary passwords are handled by MediaWiki core, not the central login extension, which has various disadvantages (e.g. throttling is per-wiki and easy to get around; the temp password only works on the wiki where you got it; T149003: TemporaryPasswordPrimaryAuthenticationProvider does not work with non-DB-based passwords). CentralAuth should probably duplicate the temp password handling logic and store the data in the central DB.
|Resolved||None||T14884 Login and account creation should be by secure http.|
|Open||None||T11816 Improve security for Special:Userlogin (tracking)|
|Open||None||T19487 mail password per user rate limit should be global for SUL accounts|
|Open||None||T42050 Allow password reset requests to be handled centrally for unified users|
|Open||None||T151012 CentralAuth should have its own temporary password handling|