On 5/29/07, Yuri Astrakhan <yuriastrakhan(a)gmail.com> wrote:
In the IRC discussion a while back, I was told that there is no timeout of
any sort. If the login timeout is already implemented in the core login,
the
whole exercise was pointless, and will be reverted.
No, the log-in timeout is not in the core login; as far as I'm aware, there
is not even a timeout on the standard log-in (the idea of throttling log-in
attempts was suggested and rejected). The captcha business, which prevents
the brute-forcing of passwords via SpecialUserlogin, is in the *extension*
ConfirmEdit. It might be a very good idea to migrate this into the core, but
until such time it's going to have to be secured on each individual
component. It would seem quite illogical, however, to have devoted all this
effort into securing Special:Userlogin against brute-forcing while leaving
the API log-in wide open.
--
Daniel Cannon (AmiDaniel)
http://amidaniel.com
cannon.danielc(a)gmail.com