On 27/10/11 00:13, Neil Harris wrote:
Automatically expiring that temporary password after say, 10 failed reactivation attempts, would reduce the probability of successfully guessing that particular password to around 3 x 10^-12 -- probably safe enough for wiki purposes.
The problem with this approach is that it introduces a DoS vulnerability. Unless the username is secret as well as the password, a limit on the number of "guesses" makes it easy to prevent someone from resetting their password, by flooding the system with fake guesses for the target username.
Rate limiting per IP does not suffer from this problem, which is why we use it. Fixing rate limiting so that it doesn't require memcached and is enabled by default would be useful.
As others in this thread have noted, 40 bits of entropy is plenty for this particular application. Guessing of user-supplied passwords is a much more significant threat, and one that is not properly addressed in a default MediaWiki installation.
-- Tim Starling