On 5/29/07, Yuri Astrakhan yuriastrakhan@gmail.com wrote:
In the IRC discussion a while back, I was told that there is no timeout of any sort. If the login timeout is already implemented in the core login, the whole exercise was pointless, and will be reverted.
No, the log-in timeout is not in the core login; as far as I'm aware, there is not even a timeout on the standard log-in (the idea of throttling log-in attempts was suggested and rejected). The captcha business, which prevents the brute-forcing of passwords via SpecialUserlogin, is in the *extension* ConfirmEdit. It might be a very good idea to migrate this into the core, but until such time it's going to have to be secured on each individual component. It would seem quite illogical, however, to have devoted all this effort into securing Special:Userlogin against brute-forcing while leaving the API log-in wide open.