Steve Sanbeg wrote:
On Mon, 07 May 2007 16:19:28 -0600, Jeff V. Merkey wrote:
What you should do here is after three failed attempts **CHANGE** the password and email the new password to the affected account. Otherwise, the account is locked up. It will require people enter a valid email address, but oh well.
Jeff
DOS and spam seems like adding insult to injury. I'd expect lot of complaints from the poor users who's passwords change hourly.
Slowing down the response rate based on the number of requests seems less painful.
Actually no. Only one password email can be sent every 24 hours. This is how the current MediaWiki works, so this would work well.
Jeff
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/wikitech-l