On 11/30/07, Christensen, Courtney ChristensenC@battelle.org wrote:
Hi List,
I've searched Google, mediawiki.org, the mailing list archives, and looked through the listed extensions, but I have been unable to find anything about keeping mediawiki accounts from being brute-forced. I'm specifically looking for something that locks an account down after a specified number of login attempts or which adds time between login requests when the password is given incorrectly. Do measures like this exist? Did I just use the wrong search terms?
There were no such features until recently, I think, at least for logins. Now I think the ConfirmEdit extension has been updated so this is an option, as MinuteElectron says. However, this does nothing against a manual attacker or a bot that can crack the captcha, I don't think. A general lockout for logins to an account can be used for DoS unless it's IP-specific, in which case it can be pretty effectively bypassed by anyone using open proxies, *and* used for DoS by anyone who can spoof IP addresses (e.g., using AOL's different-IP-per-page thing to block a big chunk of AOL users from logging into an account).