-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Daniel Cannon wrote:
On 5/29/07, Yuri Astrakhan yuriastrakhan@gmail.com wrote:
In the IRC discussion a while back, I was told that there is no timeout of any sort. If the login timeout is already implemented in the core login, the whole exercise was pointless, and will be reverted.
No, the log-in timeout is not in the core login;
Yes it is.
as far as I'm aware, there is not even a timeout on the standard log-in (the idea of throttling log-in attempts was suggested and rejected). The captcha business, which prevents the brute-forcing of passwords via SpecialUserlogin, is in the *extension* ConfirmEdit.
Depends on what you mean by "in".
The code that implements it is in the extension, because it's part of an extension.
It happens in the core authentication, and thus happens for both Human-HTML and API interfaces.
The captcha itself will only display for the human-HTML interface once triggered, but the lockouts would apply to both.
It might be a very good idea to migrate this into the core, but until such time it's going to have to be secured on each individual component. It would seem quite illogical, however, to have devoted all this effort into securing Special:Userlogin against brute-forcing while leaving the API log-in wide open.
Maybe that's why it's not the case, then. :)
- -- brion vibber (brion @ wikimedia.org)