Page MenuHomePhabricator
Create Task
Maniphest T7370

Throttle password reminder requests
Closed, ResolvedPublic
Actions

Description

Today I got spammed. Over 30 new passwords... :S Some funny guy requested a new
password for me over 30 times, and over 30 times i received an email. This is
not really something fun, and is a way to get people a hard life.
Is it possible to limit the request for a new password to once per hour for
every user? Please, make that possible, because this is not the first time,
however this is the first time it is in this amount.
Thanks a lot, you prevent a very nasty kind of spamattack with this.

Effeietsanders

Version: unspecified
Severity: enhancement
URL: http://nl.wikipedia.org/w/index.php?title=Speciaal:Userlogin

Details

Reference
bz5370

Related Objects

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 9:09 PM
bzimport added a project: MediaWiki-User-login-and-signup.
bzimport set Reference to bz5370.
Effeietsanders created this task.Mar 27 2006, 8:19 AM
bzimport added a comment.May 12 2006, 6:26 PM

robchur wrote:

*** Bug 5799 has been marked as a duplicate of this bug. ***

bzimport added a comment.May 13 2006, 5:32 PM

robchur wrote:

Fixed in SVN trunk, r14200. Requests can now be throttled with the rate limiter.

bzimport added a comment.May 16 2006, 3:04 AM

robchur wrote:

*** Bug 4227 has been marked as a duplicate of this bug. ***

bzimport added a comment.Oct 21 2006, 6:40 AM

wiki.bugzilla wrote:

see bug 7078 for the request to enable it on Wikimedia's wikis

bzimport added a comment.Oct 21 2006, 2:01 PM

anyfile wrote:

A way to solve the use of this function to generate spam toward unknown address
would be to ask the user to supply his/her e-mail address and only if the given
e-mail address is the same of the one in the user configuration the password is
sent.

This system would however open a new problem: how to manage users that have lost
their password and do not remember what e-mail address have used? (a possible
way to solve this new problem would be to allow some very trusted user -like the
one with checkuser privilege- to be able to generate the password sending
without specifing the address)

Effeietsanders added a comment.Oct 21 2006, 2:05 PM

note: this is not about *disabling* the possibility, but about limiting it. Like
once per day. Don't tell me you forget your password more then once a day ;-)

Anomie mentioned this in T181070: Re-evaluate 24-hour Password Reset email throttle.Nov 21 2017, 6:52 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits