Generated memcache key used the user name, which could contain spaces or be overlong, leading to failure to enforce the check.
Switched to making the key using md5 of the username instead of the raw name, so "I Am Rocking" will get throttled as well as "WikiSysop".
Note that it still will have no effect on a default install (with no general cache engine); for this sort of security-friendly thing it might be wise to use the DB-based cache to ensure it's functional.
global $wgPasswordAttemptThrottle;
if ( is_array($wgPasswordAttemptThrottle) ) {
- $key = wfMemcKey( 'password-throttle', wfGetIP(), $this->mName );
+ $key = wfMemcKey( 'password-throttle', wfGetIP(), md5( $this->mName ) );
$count = $wgPasswordAttemptThrottle['count'];
$period = $wgPasswordAttemptThrottle['seconds'];