“Password sprays” attacks aim at collecting a maximum number of couples (account, password), targeting either accounts with low-entropy passwords either high-value accounts (sysops or more). See for instance this blog post from Microsoft about this attack.
I open this task to propose and discuss about mitigations in MediaWiki core, particularly throtting. Other types of mitigations to encourage users to use robust passwords and authentication methods are already available: $wgPasswordPolicy in core, extensions ConfirmEdit, OATHAuth, WebAuthn…
I open this task as a security task, but it can become public given there is no immediate threat, but this about increasing security standards (although possibly some attackers are monitoring Phabricator and this would be an easy clue about absence of throttling countermeasures against password sprays – I don’t know).
Affiliation: Wiki Valley
CC: Navid, apprentice in IT security in our company