IP addresses which do N bad login attemps should be blocked from
accessing login page for Z minutes (You have done too many bad login
attempts, please wait 5 minutes before trying again)
This would help to avoid bots who try to compromise account by trying
The target user should be notified according to their personal config
(They could specify if they want to be warned if someone is about to
compromise their account or not)
On Wed, Apr 4, 2012 at 9:43 AM, Petr Bena <benapetr(a)gmail.com> wrote:
I have seen there is a lot of wikis where people are
inactive sysops. They managed to set up a strange rule where sysop
rights are removed from inactive users to improve the security.
However the sysops are allowed to request the flag to be restored
anytime. This doesn't improve security even a bit as long as hacker
who would get to some of inactive accounts could just post a request
and get the sysop rights just as if they hacked to active user.
For this reason I think we should create a new extension auto sysop
removal, which would remove the flag from all users who didn't login
to system for some time, and if they logged back, the confirmation
code would be sent to email, so that they could reactivate the sysop
account. This would be much simpler and it would actually make hacking
to sysop accounts much harder. I also believe it would be nice if
system sent an email to holder of account when someone do more than 5
bad login attemps, in order to be warned that someone is likely trying
to compromise their account.