Let's improve our password policy

classic Classic list List threaded Threaded
39 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Let's improve our password policy

Steven Walling
Hi everyone,

For some time now we've had two Requests for Comment floating around
related to passwords, neither of them making much progress.

One is the older "password strength" RFC which proposed creating a module
to tell users about the strength of their passwords. The second, "Password
requirements", had some discussion but wasn't reaching consensus and
implementation.

After proposing it about a month ago, I've merged these two RFCs and
refactored them in to
https://www.mediawiki.org/wiki/Requests_for_comment/Passwords, partially
based on feedback from Chris Steipp.

Please comment. I've tried to sharpen the proposals down in to one thing we
can do _right now_ which will do the most good for the most users. However,
there are several other viable ideas which merit discussion and example
implementations.

Thanks!

Steven
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Let's improve our password policy

rupert THURNER-2
hi steven,

thanks for this proposal. what i trap into consistently since years is not
beeing logged in, when i want to. i'd really appreaciate if this is shown
clearly, on all wiki's. i never can remember which ones indicate it and
which ones not. mediawiki.org indicates it, btw ... and i was trying to
comment there not logged in :)

for the password policy: display a strength indicator is great. anything
more? i would say just leave it to the user.

rupert.



On Fri, Jan 24, 2014 at 8:50 PM, Steven Walling <[hidden email]>wrote:

> Hi everyone,
>
> For some time now we've had two Requests for Comment floating around
> related to passwords, neither of them making much progress.
>
> One is the older "password strength" RFC which proposed creating a module
> to tell users about the strength of their passwords. The second, "Password
> requirements", had some discussion but wasn't reaching consensus and
> implementation.
>
> After proposing it about a month ago, I've merged these two RFCs and
> refactored them in to
> https://www.mediawiki.org/wiki/Requests_for_comment/Passwords, partially
> based on feedback from Chris Steipp.
>
> Please comment. I've tried to sharpen the proposals down in to one thing we
> can do _right now_ which will do the most good for the most users. However,
> there are several other viable ideas which merit discussion and example
> implementations.
>
> Thanks!
>
> Steven
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Let's improve our password policy

Isarra Yos
On 25/01/14 13:02, rupert THURNER wrote:
> for the password policy: display a strength indicator is great. anything
> more? i would say just leave it to the user.
>
> rupert.
This.

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Let's improve our password policy

Steven Walling
On Sat, Jan 25, 2014 at 10:25 AM, Isarra Yos <[hidden email]> wrote:

> On 25/01/14 13:02, rupert THURNER wrote:
>
>> for the password policy: display a strength indicator is great. anything
>> more? i would say just leave it to the user.
>>
>> rupert.
>>
> This.


We should probably have this discussion on the RFC comments. The trade-off
between security and user freedom is already brought up there, and there
are some clarifying comments that are relevant. Namely, that the RFC is
about the MediaWiki default. If a given MediWiki install wants to change
the default, they can like all config settings.
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Let's improve our password policy

Gryllida
In reply to this post by rupert THURNER-2
On Sun, 26 Jan 2014, at 0:02, rupert THURNER wrote:
> for the password policy: display a strength indicator is great. anything
> more? i would say just leave it to the user.
>
> rupert.

THANK YOU. My thoughts exactly. :-)

Everyone who has a thought should write it on-wiki for these people to hear you without manually scanning a mailing list. Thanks.

  gry

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Let's improve our password policy

Martijn Hoekstra
On Sun, Jan 26, 2014 at 9:49 AM, Gryllida <[hidden email]> wrote:

> On Sun, 26 Jan 2014, at 0:02, rupert THURNER wrote:
> > for the password policy: display a strength indicator is great. anything
> > more? i would say just leave it to the user.
> >
> > rupert.
>
> THANK YOU. My thoughts exactly. :-)
>
> Everyone who has a thought should write it on-wiki for these people to
> hear you without manually scanning a mailing list. Thanks.
>
>   gry
>

I once saw a "can be brute forced on commodity hardware in x" field instead
of an abstract "strength" field - but phrased less techy. I liked that.

>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Let's improve our password policy

Petr Bena
fde#@%62jtgjsl$#5kgsgjgseojgro@#$%SEGsgesjojahREAGHkerahj23YJ34pwyjw3$#^WrejgshSH

Time Required to Exhaustively Search this Password's Space:

Online Attack Scenario:
5.04 thousand trillion trillion trillion trillion trillion trillion
trillion trillion trillion trillion trillion trillion centuries
Offline Fast Attack Scenario:
50.42 million trillion trillion trillion trillion trillion trillion
trillion trillion trillion trillion trillion centuries
Massive Cracking Array Scenario:
50.42 thousand trillion trillion trillion trillion trillion trillion
trillion trillion trillion trillion trillion centuries

Now just remember that password.

On Tue, Feb 4, 2014 at 10:18 AM, Martijn Hoekstra
<[hidden email]> wrote:

> On Sun, Jan 26, 2014 at 9:49 AM, Gryllida <[hidden email]> wrote:
>
>> On Sun, 26 Jan 2014, at 0:02, rupert THURNER wrote:
>> > for the password policy: display a strength indicator is great. anything
>> > more? i would say just leave it to the user.
>> >
>> > rupert.
>>
>> THANK YOU. My thoughts exactly. :-)
>>
>> Everyone who has a thought should write it on-wiki for these people to
>> hear you without manually scanning a mailing list. Thanks.
>>
>>   gry
>>
>
> I once saw a "can be brute forced on commodity hardware in x" field instead
> of an abstract "strength" field - but phrased less techy. I liked that.
>
>>
>> _______________________________________________
>> Wikitech-l mailing list
>> [hidden email]
>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Let's improve our password policy

Vi to
In reply to this post by Martijn Hoekstra
A three/four colour lamp + "it might be forced in approx X days" sounds great!

Vito

Inviato con AquaMail per Android
http://www.aqua-mail.com


Il 04 febbraio 2014 10:19:12 Martijn Hoekstra <[hidden email]>
ha scritto:

> On Sun, Jan 26, 2014 at 9:49 AM, Gryllida <[hidden email]> wrote:
>
> > On Sun, 26 Jan 2014, at 0:02, rupert THURNER wrote:
> > > for the password policy: display a strength indicator is great. anything
> > > more? i would say just leave it to the user.
> > >
> > > rupert.
> >
> > THANK YOU. My thoughts exactly. :-)
> >
> > Everyone who has a thought should write it on-wiki for these people to
> > hear you without manually scanning a mailing list. Thanks.
> >
> >   gry
> >
>
> I once saw a "can be brute forced on commodity hardware in x" field instead
> of an abstract "strength" field - but phrased less techy. I liked that.
>
> >
> > _______________________________________________
> > Wikitech-l mailing list
> > [hidden email]
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> >
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l



_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Let's improve our password policy

Željko Filipin
In reply to this post by Petr Bena
On Tue, Feb 4, 2014 at 10:33 AM, Petr Bena <[hidden email]> wrote:

> fde#@%62jtgjsl$#5kgsgjgseojgro@
> #$%SEGsgesjojahREAGHkerahj23YJ34pwyjw3$#^WrejgshSH
> (...)
> Now just remember that password.
>

All my passwords look like that and there is no need to remember them. You
can use a password manager[1]. I am aware of the fact that most people on
this list do not use one, and that people that are not technical do not
even know what a password manager is.

Željko
--
1: https://en.wikipedia.org/wiki/Password_manager
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Let's improve our password policy

Petr Bena
hacking into password manager might be easier than hacking into a human brain :P

On Tue, Feb 4, 2014 at 11:03 AM, Željko Filipin <[hidden email]> wrote:

> On Tue, Feb 4, 2014 at 10:33 AM, Petr Bena <[hidden email]> wrote:
>
>> fde#@%62jtgjsl$#5kgsgjgseojgro@
>> #$%SEGsgesjojahREAGHkerahj23YJ34pwyjw3$#^WrejgshSH
>> (...)
>> Now just remember that password.
>>
>
> All my passwords look like that and there is no need to remember them. You
> can use a password manager[1]. I am aware of the fact that most people on
> this list do not use one, and that people that are not technical do not
> even know what a password manager is.
>
> Željko
> --
> 1: https://en.wikipedia.org/wiki/Password_manager
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Let's improve our password policy

Petr Bena
To be honest one of things I liked most on wikipedia over other sites,
was no password policy whatsoever. I hope we never get into such a
creepy state like oracle website which requires so complicated
password that I always immediately forget it...

On Tue, Feb 4, 2014 at 3:04 PM, Petr Bena <[hidden email]> wrote:

> hacking into password manager might be easier than hacking into a human brain :P
>
> On Tue, Feb 4, 2014 at 11:03 AM, Željko Filipin <[hidden email]> wrote:
>> On Tue, Feb 4, 2014 at 10:33 AM, Petr Bena <[hidden email]> wrote:
>>
>>> fde#@%62jtgjsl$#5kgsgjgseojgro@
>>> #$%SEGsgesjojahREAGHkerahj23YJ34pwyjw3$#^WrejgshSH
>>> (...)
>>> Now just remember that password.
>>>
>>
>> All my passwords look like that and there is no need to remember them. You
>> can use a password manager[1]. I am aware of the fact that most people on
>> this list do not use one, and that people that are not technical do not
>> even know what a password manager is.
>>
>> Željko
>> --
>> 1: https://en.wikipedia.org/wiki/Password_manager
>> _______________________________________________
>> Wikitech-l mailing list
>> [hidden email]
>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Let's improve our password policy

Steven Walling
On Tuesday, February 4, 2014, Petr Bena <[hidden email]> wrote:

> To be honest one of things I liked most on wikipedia over other sites,
> was no password policy whatsoever. I hope we never get into such a
> creepy state like oracle website which requires so complicated
> password that I always immediately forget it...


I fully agree. This is why the RFC explicitly


> On Tue, Feb 4, 2014 at 3:04 PM, Petr Bena <[hidden email]<javascript:;>>
> wrote:
> > hacking into password manager might be easier than hacking into a human
> brain :P
> >
> > On Tue, Feb 4, 2014 at 11:03 AM, Željko Filipin <[hidden email]<javascript:;>>
> wrote:
> >> On Tue, Feb 4, 2014 at 10:33 AM, Petr Bena <[hidden email]<javascript:;>>
> wrote:
> >>
> >>> fde#@%62jtgjsl$#5kgsgjgseojgro@
> >>> #$%SEGsgesjojahREAGHkerahj23YJ34pwyjw3$#^WrejgshSH
> >>> (...)
> >>> Now just remember that password.
> >>>
> >>
> >> All my passwords look like that and there is no need to remember them.
> You
> >> can use a password manager[1]. I am aware of the fact that most people
> on
> >> this list do not use one, and that people that are not technical do not
> >> even know what a password manager is.
> >>
> >> Željko
> >> --
> >> 1: https://en.wikipedia.org/wiki/Password_manager
> >> _______________________________________________
> >> Wikitech-l mailing list
> >> [hidden email] <javascript:;>
> >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email] <javascript:;>
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Let's improve our password policy

Steven Walling
On Tue, Feb 4, 2014 at 11:58 AM, Steven Walling <[hidden email]>wrote:

> On Tuesday, February 4, 2014, Petr Bena <[hidden email]> wrote:
>
>> To be honest one of things I liked most on wikipedia over other sites,
>> was no password policy whatsoever. I hope we never get into such a
>> creepy state like oracle website which requires so complicated
>> password that I always immediately forget it...
>
>
> I fully agree. This is why the RFC explicitly
>

Sorry, was on my phone. I meant to say...

I fully agree, and this is why the RFC is very clear that the *only
immediate change proposed* is an increase in required minimum length from
one character to six. It does not suggest that we require more complex
character types, such as mixed upper/lower case, numbers, symbols and so
on. Just increasing the length, and hopefully suggesting to users how to
pick a strong password, is plenty for MediaWiki defaults.
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Let's improve our password policy

MZMcBride-2
Steven Walling wrote:
>I fully agree, and this is why the RFC is very clear that the *only
>immediate change proposed* is an increase in required minimum length from
>one character to six. It does not suggest that we require more complex
>character types, such as mixed upper/lower case, numbers, symbols and so
>on. Just increasing the length, and hopefully suggesting to users how to
>pick a strong password, is plenty for MediaWiki defaults.

General consensus (on this mailing list and at the RFC) seems to be that
we can certainly encourage stronger passwords, but we should not require
stronger passwords for standard accounts. Accounts with escalated
privileges (admin, checkuser, etc.) should likely be treated differently.

Ultimately, account security is a user's prerogative. If a user wants to
use "wiki" as his or her password, we can say that's not a great idea, but
I don't see why we would outright ban it. Similarly, more complex
passwords lead to people using a sticky note or similarly poor practices.

Wikimedia wiki accounts are nearly valueless. Banks and even e-mail
providers have reason to implement stricter authentication requirements.
Meanwhile on Wikimedia wikis, there's very little incentive to log in.
What's the purpose of securing such standard accounts? This has an
associated cost. What's the benefit?

Perhaps there are better arguments for why we should lock an unknown
number of users out of their accounts every time someone upgrades
MediaWiki, but currently the pros column seems a lot weaker than the cons
column for implementing this change to $wgMinimalPasswordLength.

MZMcBride



_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Let's improve our password policy

Tyler Romeo
On Wed, Feb 5, 2014 at 2:20 AM, MZMcBride <[hidden email]> wrote:

> Ultimately, account security is a user's prerogative. [...] Banks and even
> e-mail
> providers have reason to implement stricter authentication requirements.
>

This is conflicting logic. If it is the user's job to enforce their own
account security, what reason would banks or email providers have to
require long passwords? If somebody guesses a user's password and empties
their bank account, the bank could care less, since it is the customer's
fault for not making sure their password is long enough.

Rather account security, and security in general, is a combination of both
administrative oversight and user awareness. It is the system
administrators' responsibility to try and make up for the fact that users
are not security experts, and thus cannot be expected to take every
possible measure to ensure the safety of their account. Accordingly it is
our responsibility to set a password policy that ensures that users will
not do something stupid, as all users are inclined to do.

Of course, it is still valid that a Wikimedia wiki account is "nearly
valueless". However, that is probably more of a personal opinion than it is
a fact. I'm sure a very heavy Wikipedia editor, who uses his/her account to
make hundreds of edits a month but isn't necessarily an administrator or
other higher-level user, sees their account as something more than a
throwaway that can be replaced in an instant. Sure there is nothing of
monetary value in the account, and no confidential information would be
leaked should the account become compromised, but at the same time it has a
personal value.

For example, MZMcBride, what if your password is "wiki", and somebody
compromises your account, and changes your password and email. You don't
have a committed identity, so your account is now unrecoverable. You now
have to sign up for Wikipedia again, using the username "MZMcBride2". Of
course, all your previous edits are still accredited to your previous
account, and there's no way we can confirm you are the real MZMcBride, but
at least you can continue to edit Wikipedia... Obviously you are not the
best example, since I'm sure you have ways of confirming your identity to
the Wikimedia Foundation, but not everybody is like that. You could argue
that if you consider your Wikipedia account to have that much value, you'd
put in the effort to make sure it is secure. To that I say see the above
paragraph.

*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class of 2016
Major in Computer Science
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Let's improve our password policy

Martijn Hoekstra
In reply to this post by MZMcBride-2
On Feb 5, 2014 8:21 AM, "MZMcBride" <[hidden email]> wrote:

>
> Steven Walling wrote:
> >I fully agree, and this is why the RFC is very clear that the *only
> >immediate change proposed* is an increase in required minimum length from
> >one character to six. It does not suggest that we require more complex
> >character types, such as mixed upper/lower case, numbers, symbols and so
> >on. Just increasing the length, and hopefully suggesting to users how to
> >pick a strong password, is plenty for MediaWiki defaults.
>
> General consensus (on this mailing list and at the RFC) seems to be that
> we can certainly encourage stronger passwords, but we should not require
> stronger passwords for standard accounts. Accounts with escalated
> privileges (admin, checkuser, etc.) should likely be treated differently.
>
> Ultimately, account security is a user's prerogative. If a user wants to
> use "wiki" as his or her password, we can say that's not a great idea, but
> I don't see why we would outright ban it. Similarly, more complex
> passwords lead to people using a sticky note or similarly poor practices.
>
> Wikimedia wiki accounts are nearly valueless. Banks and even e-mail
> providers have reason to implement stricter authentication requirements.
> Meanwhile on Wikimedia wikis, there's very little incentive to log in.
> What's the purpose of securing such standard accounts? This has an
> associated cost. What's the benefit?
>
> Perhaps there are better arguments for why we should lock an unknown
> number of users out of their accounts every time someone upgrades
> MediaWiki, but currently the pros column seems a lot weaker than the cons
> column for implementing this change to $wgMinimalPasswordLength.
>
> MZMcBride

I think Steven meant upping the requirements for new accounts only. In that
way nothing gets broken immediately. I'm still not absolutely convinced
this is more useful than a hindrance if we clearly inform the user about
password strength when they set them (see my earlier post about "this
password can be brute forced in x"). If users are then not deterred from
setting their password to "wiki", apparently they didn't care, as we told
them how easy it is to brute force.

If Steven did mean something that will lock people out of their account on
upgrades, then I don't think that's a good idea at all.

Martijn.

>
>
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Let's improve our password policy

Vi to
In reply to this post by Tyler Romeo
Let's say they are nearly valueless for most of attackers.

Generally speaking I think we should strongly encourage security without
imposing it. A "strenght meter", some email reminder and a minimum of six
chars for new passwords would be, imho, non-invasive good measures.

Vito

Inviato con AquaMail per Android
http://www.aqua-mail.com


Il 05 febbraio 2014 08:59:24 Tyler Romeo <[hidden email]> ha scritto:

> On Wed, Feb 5, 2014 at 2:20 AM, MZMcBride <[hidden email]> wrote:
>
> > Ultimately, account security is a user's prerogative. [...] Banks and even
> > e-mail
> > providers have reason to implement stricter authentication requirements.
> >
>
> This is conflicting logic. If it is the user's job to enforce their own
> account security, what reason would banks or email providers have to
> require long passwords? If somebody guesses a user's password and empties
> their bank account, the bank could care less, since it is the customer's
> fault for not making sure their password is long enough.
>
> Rather account security, and security in general, is a combination of both
> administrative oversight and user awareness. It is the system
> administrators' responsibility to try and make up for the fact that users
> are not security experts, and thus cannot be expected to take every
> possible measure to ensure the safety of their account. Accordingly it is
> our responsibility to set a password policy that ensures that users will
> not do something stupid, as all users are inclined to do.
>
> Of course, it is still valid that a Wikimedia wiki account is "nearly
> valueless". However, that is probably more of a personal opinion than it is
> a fact. I'm sure a very heavy Wikipedia editor, who uses his/her account to
> make hundreds of edits a month but isn't necessarily an administrator or
> other higher-level user, sees their account as something more than a
> throwaway that can be replaced in an instant. Sure there is nothing of
> monetary value in the account, and no confidential information would be
> leaked should the account become compromised, but at the same time it has a
> personal value.
>
> For example, MZMcBride, what if your password is "wiki", and somebody
> compromises your account, and changes your password and email. You don't
> have a committed identity, so your account is now unrecoverable. You now
> have to sign up for Wikipedia again, using the username "MZMcBride2". Of
> course, all your previous edits are still accredited to your previous
> account, and there's no way we can confirm you are the real MZMcBride, but
> at least you can continue to edit Wikipedia... Obviously you are not the
> best example, since I'm sure you have ways of confirming your identity to
> the Wikimedia Foundation, but not everybody is like that. You could argue
> that if you consider your Wikipedia account to have that much value, you'd
> put in the effort to make sure it is secure. To that I say see the above
> paragraph.
>
> *-- *
> *Tyler Romeo*
> Stevens Institute of Technology, Class of 2016
> Major in Computer Science
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l



_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Let's improve our password policy

Nathan Larson
In reply to this post by Tyler Romeo
On Wed, Feb 5, 2014 at 2:58 AM, Tyler Romeo <[hidden email]> wrote:

> For example, MZMcBride, what if your password is "wiki", and somebody
> compromises your account, and changes your password and email. You don't
> have a committed identity, so your account is now unrecoverable. You now
> have to sign up for Wikipedia again, using the username "MZMcBride2". Of
> course, all your previous edits are still accredited to your previous
> account, and there's no way we can confirm you are the real MZMcBride, but
> at least you can continue to edit Wikipedia... Obviously you are not the
> best example, since I'm sure you have ways of confirming your identity to
> the Wikimedia Foundation, but not everybody is like that. You could argue
> that if you consider your Wikipedia account to have that much value, you'd
> put in the effort to make sure it is secure. To that I say see the above
> paragraph.
>

What if all of the email addresses that a user has ever used were to be
stored permanently? Then in the event of an account hijacking, he could say
to WMF, "As your data will confirm, the original email address for user Foo
was [hidden email], and I am emailing you from that account, so either my
email account got compromised, or I am the person who first set an email
address for user Foo." The email services have their own procedures for
sorting out situations in which people claim their email accounts were
hijacked.
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Let's improve our password policy

Brian Wolff
In reply to this post by Martijn Hoekstra
>
> I think Steven meant upping the requirements for new accounts only. In
that
> way nothing gets broken immediately. I'm still not absolutely convinced
> this is more useful than a hindrance if we clearly inform the user about
> password strength when they set them (see my earlier post about "this
> password can be brute forced in x"). If users are then not deterred from
> setting their password to "wiki", apparently they didn't care, as we told
> them how easy it is to brute force.
>

I think such statistics are misleading. Why would an attacker use brute
force over a dictionary attack?

-bawolff
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Let's improve our password policy

Derric Atzrott
In reply to this post by Nathan Larson
>> For example, MZMcBride, what if your password is "wiki", and somebody
>> compromises your account, and changes your password and email. You don't
>> have a committed identity, so your account is now unrecoverable. You now
>> have to sign up for Wikipedia again, using the username "MZMcBride2". Of
>> course, all your previous edits are still accredited to your previous
>> account, and there's no way we can confirm you are the real MZMcBride, but
>> at least you can continue to edit Wikipedia... Obviously you are not the
>> best example, since I'm sure you have ways of confirming your identity to
>> the Wikimedia Foundation, but not everybody is like that. You could argue
>> that if you consider your Wikipedia account to have that much value, you'd
>> put in the effort to make sure it is secure. To that I say see the above
>> paragraph.
>>
>
>What if all of the email addresses that a user has ever used were to be
>stored permanently? Then in the event of an account hijacking, he could say
>to WMF, "As your data will confirm, the original email address for user Foo
>was [hidden email], and I am emailing you from that account, so either my
>email account got compromised, or I am the person who first set an email
>address for user Foo." The email services have their own procedures for
>sorting out situations in which people claim their email accounts were
>hijacked.

I feel as though this idea does not meet my need for privacy.  I can guess that at least a portion of the community would agree.

Thank you,
Derric Atzrott


_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
12