Password security notes

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Password security notes

Brion Vibber-3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As noted in other threads on several mailing lists, a few admin accounts
on en.wikipedia have been compromised recently, used to vandalize
high-traffic protected pages.

We're starting to roll out some additional protections against
password-guessing attacks, including but not limited to:

* Additional logging to better detect dictionary-style attacks

* Speed-bump measures against multiple failed logins
[But not that should DoS legitimate users. The traditional "lock out the
account after three tries" would make it trivial to lock out all the
site's sysops -- not wise. :)]

* Weak-password checks on existing sysops on our largest sites. Several
accounts have had their weak passwords invalidated and will need to
reset by mail before logging in again.

* Several targeted blocks against known cracking attempts.


Over the coming days we will additionally be rolling out more automated
password-strength checkers at login / set-password / change-password
time to reduce the danger of guessable passwords.


Please distribute this information as appropriate to your local
projects/languages.

- -- brion vibber (brion @ wikimedia.org)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGP6WDwRnhpk1wk44RApO6AJ9q8MXXhYbVAT9+YoTOZgFwv56YbwCdH2MU
ysd+CDuI1knUHJaD1jd8wUo=
=FGTh
-----END PGP SIGNATURE-----

_______________________________________________
foundation-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: Password security notes

jmerkey-3
Brion Vibber wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>As noted in other threads on several mailing lists, a few admin accounts
>on en.wikipedia have been compromised recently, used to vandalize
>high-traffic protected pages.
>
>We're starting to roll out some additional protections against
>password-guessing attacks, including but not limited to:
>
>* Additional logging to better detect dictionary-style attacks
>
>* Speed-bump measures against multiple failed logins
>[But not that should DoS legitimate users. The traditional "lock out the
>account after three tries" would make it trivial to lock out all the
>site's sysops -- not wise. :)]
>  
>
What you should do here is after three failed attempts **CHANGE** the
password and email the new password
to the affected account. Otherwise, the account is locked up. It will
require people enter a valid email address, but oh well.

Jeff


_______________________________________________
foundation-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: Password security notes

John Reaves
I assume this has already been thought of, but steward accounts (as well as
all admin accounts) at Meta should be checked too.  A hacked steward account
would be a big problem.

--John Reaves

On 5/7/07, Jeff V. Merkey <[hidden email]> wrote:

>
> Brion Vibber wrote:
>
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >As noted in other threads on several mailing lists, a few admin accounts
> >on en.wikipedia have been compromised recently, used to vandalize
> >high-traffic protected pages.
> >
> >We're starting to roll out some additional protections against
> >password-guessing attacks, including but not limited to:
> >
> >* Additional logging to better detect dictionary-style attacks
> >
> >* Speed-bump measures against multiple failed logins
> >[But not that should DoS legitimate users. The traditional "lock out the
> >account after three tries" would make it trivial to lock out all the
> >site's sysops -- not wise. :)]
> >
> >
> What you should do here is after three failed attempts **CHANGE** the
> password and email the new password
> to the affected account. Otherwise, the account is locked up. It will
> require people enter a valid email address, but oh well.
>
> Jeff
>
>
> _______________________________________________
> foundation-l mailing list
> [hidden email]
> http://lists.wikimedia.org/mailman/listinfo/foundation-l
>
_______________________________________________
foundation-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: Password security notes

Steve Sanbeg
In reply to this post by jmerkey-3
On Mon, 07 May 2007 16:19:28 -0600, Jeff V. Merkey wrote:


> What you should do here is after three failed attempts **CHANGE** the
> password and email the new password
> to the affected account. Otherwise, the account is locked up. It will
> require people enter a valid email address, but oh well.
>
> Jeff

DOS and spam seems like adding insult to injury.  I'd expect lot of
complaints from the poor users who's passwords change hourly.

Slowing down the response rate based on the number of requests seems less
painful.




_______________________________________________
foundation-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: [Wikitech-l] Password security notes

jmerkey-3
Steve Sanbeg wrote:

>On Mon, 07 May 2007 16:19:28 -0600, Jeff V. Merkey wrote:
>
>
>  
>
>>What you should do here is after three failed attempts **CHANGE** the
>>password and email the new password
>>to the affected account. Otherwise, the account is locked up. It will
>>require people enter a valid email address, but oh well.
>>
>>Jeff
>>    
>>
>
>DOS and spam seems like adding insult to injury.  I'd expect lot of
>complaints from the poor users who's passwords change hourly.
>
>Slowing down the response rate based on the number of requests seems less
>painful.
>
>
>  
>
Actually no. Only one password email can be sent every 24 hours. This is
how the current MediaWiki works, so this
would work well.

Jeff

>
>_______________________________________________
>Wikitech-l mailing list
>[hidden email]
>http://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
>  
>


_______________________________________________
foundation-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: Password security notes

David Gerard-2
In reply to this post by Brion Vibber-3
On 07/05/07, Brion Vibber <[hidden email]> wrote:

> We're starting to roll out some additional protections against
> password-guessing attacks, including but not limited to:
> * Weak-password checks on existing sysops on our largest sites. Several
> accounts have had their weak passwords invalidated and will need to
> reset by mail before logging in again.


Needless to say, anyone whose password is a certain string beginning
"09 F9" is blocked forever and their name put in [[Meta:Hall of
Shame]] to be poked fun at.


- d.

_______________________________________________
foundation-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: Password security notes

Casey Brown-2
In reply to this post by John Reaves
A steward account... zomg... don't even think about it!  (Although, that may
be easier... Special:Log/rights is on meta and we don't get as much changes
there: easier to spot/fix!)

Cbrown1023

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of John Reaves
Sent: Monday, May 07, 2007 6:25 PM
To: Wikimedia Foundation Mailing List
Subject: Re: [Foundation-l] Password security notes

I assume this has already been thought of, but steward accounts (as well as
all admin accounts) at Meta should be checked too.  A hacked steward account
would be a big problem.

--John Reaves

On 5/7/07, Jeff V. Merkey <[hidden email]> wrote:

>
> Brion Vibber wrote:
>
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >As noted in other threads on several mailing lists, a few admin accounts
> >on en.wikipedia have been compromised recently, used to vandalize
> >high-traffic protected pages.
> >
> >We're starting to roll out some additional protections against
> >password-guessing attacks, including but not limited to:
> >
> >* Additional logging to better detect dictionary-style attacks
> >
> >* Speed-bump measures against multiple failed logins
> >[But not that should DoS legitimate users. The traditional "lock out the
> >account after three tries" would make it trivial to lock out all the
> >site's sysops -- not wise. :)]
> >
> >
> What you should do here is after three failed attempts **CHANGE** the
> password and email the new password
> to the affected account. Otherwise, the account is locked up. It will
> require people enter a valid email address, but oh well.
>
> Jeff
>
>
> _______________________________________________
> foundation-l mailing list
> [hidden email]
> http://lists.wikimedia.org/mailman/listinfo/foundation-l
>
_______________________________________________
foundation-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/foundation-l


_______________________________________________
foundation-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/foundation-l