At 11:10 19/03/2007, you wrote:
2007/3/19, Ian Tresman it@knowledge.co.uk:
And another option would be for the person to enter their own valid email address, which needs validating before the password is sent out to the password-associated email address?
Emmm... No, that wouldn't work. To validate the e-mail address, we need to send a message to that e-mail address, so the person could cause the same kind of trouble by hitting the button to validate your address.
I'm trying to think of a method which would (a) introduce a time delay between password reminder requests (b) make it a hassle to request it frequently.
How about for people who press the "E-mail password button":
1. Present a block of nine random 5-letter text blocks, and ask the user to enter from word block M (0 < M < 10), the Nth letter (0 < N < 6. And do this three times. I think people would get bored having to do this each time. eg.
HIWPS PEQXX PFLEE PEDLX POSLN DOWWS DWEZI EODSW EPLDK
a. Enter from block 6 the 3rd letter b. Enter from block 2 the 5th letter c. Enter from block 8 the 2nd letter [...]
Regards, Ian
ian wrote:
How about for people who press the "E-mail password button":
- Present a block of nine random 5-letter text blocks, and ask the
user to enter from word block M (0 < M < 10), the Nth letter (0 < N < 6. And do this three times. I think people would get bored having to do this each time. eg.
HIWPS PEQXX PFLEE PEDLX POSLN DOWWS DWEZI EODSW EPLDK
a. Enter from block 6 the 3rd letter b. Enter from block 2 the 5th letter c. Enter from block 8 the 2nd letter [...]
Useless, because this algorithm could be easily prevented by some little script...
A throttle is the best solution, I think. And already implemented, isn't it?
-- chris
Useless, because this algorithm could be easily prevented by some little script...
I first understood the 'blocks' were captchas... It would solve it but a) we're throwing bandwith b) usability is really poor.
A throttle is the best solution, I think. And already implemented, isn't it?
It was solved with a throttle. I think Ian is having problem because the requests are done with open proxys, with a new ip throttle count.
At 18:31 19/03/2007, you wrote:
Useless, because this algorithm could be easily prevented by some little script...
I first understood the 'blocks' were captchas... It would solve it but a) we're throwing bandwith b) usability is really poor.
A throttle is the best solution, I think. And already implemented, isn't it?
It was solved with a throttle. I think Ian is having problem because the requests are done with open proxys, with a new ip throttle count.
If a throttle is implemented, anyone know from what version? I'm stuck on 1.6.. because I don't have PHP 5.
And yes, the anonymous proxy was using random IP addresses.
Regards, Ian
Ian Tresman wrote:
If a throttle is implemented, anyone know from what version? I'm stuck on 1.6.. because I don't have PHP 5.
And yes, the anonymous proxy was using random IP addresses.
Regards, Ian
I thought you were talking about wikipedia. mediawiki-l is the appropiate list then. This was brought on this [1] thread. Was bug 5370 [2], fixed on r14200 [3] Apply patches [4] & [5] I see $wgRateLimits is defined on 1.6 so it will probably work "as is".
1-http://lists.wikimedia.org/mailman/htdig/wikitech-l/2006-October/027103.html 2-http://bugzilla.wikimedia.org/show_bug.cgi?id=5370 3-http://svn.wikimedia.org/viewvc/mediawiki?view=rev&revision=14200 4-http://svn.wikimedia.org/viewvc/mediawiki/trunk/phase3/includes/SpecialUserl... 5-http://svn.wikimedia.org/viewvc/mediawiki/trunk/phase3/includes/DefaultSetti...
This was brought on this [1] thread. Was bug 5370 [2], fixed on r14200 [3] Apply patches [4] & [5] I see $wgRateLimits is defined on 1.6 so it will probably work "as is".
1-http://lists.wikimedia.org/mailman/htdig/wikitech-l/2006-October/027103.html 2-http://bugzilla.wikimedia.org/show_bug.cgi?id=5370 3-http://svn.wikimedia.org/viewvc/mediawiki?view=rev&revision=14200 4-http://svn.wikimedia.org/viewvc/mediawiki/trunk/phase3/includes/SpecialUserl... 5-http://svn.wikimedia.org/viewvc/mediawiki/trunk/phase3/includes/DefaultSetti...
Thanks for that. My MediaWiki 1.6.8 does not appear to have [4] above included in the code, but it looks easy to add.
$wgRateLimits is described at http://www.mediawiki.org/wiki/Manual:%24wgRateLimits but it appears to be disabled by default, and I can't figure out what I should enter for $wgRateLimits=
I tried the following, but I didn't understand the description:
$wgRateLimits= array( 'mailpassword' => array( 'user' => null, 'newbie' => null, 'ip' => array (1, 60), //Max 4 hits in 60 seconds 'subnet' => array (1, 60), ), )
Regards, Ian
wikitech-l@lists.wikimedia.org