Password security notes

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Password security notes

Brion Vibber-3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As noted in other threads on several mailing lists, a few admin accounts
on en.wikipedia have been compromised recently, used to vandalize
high-traffic protected pages.

We're starting to roll out some additional protections against
password-guessing attacks, including but not limited to:

* Additional logging to better detect dictionary-style attacks

* Speed-bump measures against multiple failed logins
[But not that should DoS legitimate users. The traditional "lock out the
account after three tries" would make it trivial to lock out all the
site's sysops -- not wise. :)]

* Weak-password checks on existing sysops on our largest sites. Several
accounts have had their weak passwords invalidated and will need to
reset by mail before logging in again.

* Several targeted blocks against known cracking attempts.


Over the coming days we will additionally be rolling out more automated
password-strength checkers at login / set-password / change-password
time to reduce the danger of guessable passwords.


Please distribute this information as appropriate to your local
projects/languages.

- -- brion vibber (brion @ wikimedia.org)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGP6WDwRnhpk1wk44RApO6AJ9q8MXXhYbVAT9+YoTOZgFwv56YbwCdH2MU
ysd+CDuI1knUHJaD1jd8wUo=
=FGTh
-----END PGP SIGNATURE-----

_______________________________________________
Wikitech-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: [Foundation-l] Password security notes

jmerkey-3
Brion Vibber wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>As noted in other threads on several mailing lists, a few admin accounts
>on en.wikipedia have been compromised recently, used to vandalize
>high-traffic protected pages.
>
>We're starting to roll out some additional protections against
>password-guessing attacks, including but not limited to:
>
>* Additional logging to better detect dictionary-style attacks
>
>* Speed-bump measures against multiple failed logins
>[But not that should DoS legitimate users. The traditional "lock out the
>account after three tries" would make it trivial to lock out all the
>site's sysops -- not wise. :)]
>  
>
What you should do here is after three failed attempts **CHANGE** the
password and email the new password
to the affected account. Otherwise, the account is locked up. It will
require people enter a valid email address, but oh well.

Jeff


_______________________________________________
Wikitech-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Password security notes

Steve Sanbeg
On Mon, 07 May 2007 16:19:28 -0600, Jeff V. Merkey wrote:


> What you should do here is after three failed attempts **CHANGE** the
> password and email the new password
> to the affected account. Otherwise, the account is locked up. It will
> require people enter a valid email address, but oh well.
>
> Jeff

DOS and spam seems like adding insult to injury.  I'd expect lot of
complaints from the poor users who's passwords change hourly.

Slowing down the response rate based on the number of requests seems less
painful.




_______________________________________________
Wikitech-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Password security notes

jmerkey-3
Steve Sanbeg wrote:

>On Mon, 07 May 2007 16:19:28 -0600, Jeff V. Merkey wrote:
>
>
>  
>
>>What you should do here is after three failed attempts **CHANGE** the
>>password and email the new password
>>to the affected account. Otherwise, the account is locked up. It will
>>require people enter a valid email address, but oh well.
>>
>>Jeff
>>    
>>
>
>DOS and spam seems like adding insult to injury.  I'd expect lot of
>complaints from the poor users who's passwords change hourly.
>
>Slowing down the response rate based on the number of requests seems less
>painful.
>
>
>  
>
Actually no. Only one password email can be sent every 24 hours. This is
how the current MediaWiki works, so this
would work well.

Jeff

>
>_______________________________________________
>Wikitech-l mailing list
>[hidden email]
>http://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
>  
>


_______________________________________________
Wikitech-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Password security notes

Rob Church
On 07/05/07, Jeff V. Merkey <[hidden email]> wrote:
> Actually no. Only one password email can be sent every 24 hours. This is
> how the current MediaWiki works, so this
> would work well.

The problem is that if this was done, then a malicious user could
trigger account suspension for all administrators on a wiki, which
would interrupt important actions such as blocking vandals and other
undesirable editors, deleting pages and images, and disrupt the
overall administrative infrastructure.

This might not be such an issue on large wikis, such as the English
Wikipedia, which has upwards of 900 administrators, but consider the
smaller wikis with fewer active administrators.


Rob Church

_______________________________________________
Wikitech-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Password security notes

jmerkey-3
Rob Church wrote:

>On 07/05/07, Jeff V. Merkey <[hidden email]> wrote:
>  
>
>>Actually no. Only one password email can be sent every 24 hours. This is
>>how the current MediaWiki works, so this
>>would work well.
>>    
>>
>
>The problem is that if this was done, then a malicious user could
>trigger account suspension for all administrators on a wiki, which
>would interrupt important actions such as blocking vandals and other
>undesirable editors, deleting pages and images, and disrupt the
>overall administrative infrastructure.
>
>This might not be such an issue on large wikis, such as the English
>Wikipedia, which has upwards of 900 administrators, but consider the
>smaller wikis with fewer active administrators.
>
>
>Rob Church
>
>_______________________________________________
>Wikitech-l mailing list
>[hidden email]
>http://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
>  
>
Add a check for the admins IP address from checkuser and if the address
is different send a new email.

Jeff

_______________________________________________
Wikitech-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Password security notes

Aryeh Gregor
On 5/8/07, Jeffrey V. Merkey <[hidden email]> wrote:
> Add a check for the admins IP address from checkuser and if the address
> is different send a new email.

Far too fragile.  Admins may want to log in from multiple IPs for any
of a wide variety of reasons, not least of which is a dynamic ISP, but
also travelling, work/school/home, etc.

_______________________________________________
Wikitech-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Password security notes

David Gerard-2
On 08/05/07, Simetrical <[hidden email]> wrote:
> On 5/8/07, Jeffrey V. Merkey <[hidden email]> wrote:

> > Add a check for the admins IP address from checkuser and if the address
> > is different send a new email.

> Far too fragile.  Admins may want to log in from multiple IPs for any
> of a wide variety of reasons, not least of which is a dynamic ISP, but
> also travelling, work/school/home, etc.


Indeed. I tend to live my online life from whatever copy of Firefox is
handy - Gmail, Gtalk, LiveJournal, Wikipedia.

I'm surprised https:// login isn't standard on Wikimedia sites already
... it is on every other large service.


- d.

_______________________________________________
Wikitech-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/wikitech-l