Password security

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Password security

Brion Vibber
I've disabled the ability to use blank passwords on wiki accounts.

For a long time we treated accounts very laxly in this regard; there generally
wasn't _that_ much reason to secure a casual account unless you were one of the
tiny number of sysops.

In recent years though the number of sysops has exploded, and we've added
customization features like the user javascript which are cool but potentially
really annoying if someone gets into your account and messes with them. As a
small concession to security and accountability, it's time for blank passwords
to go.

While running some password security checks, I found that a handful of sysop
accounts had blank passwords. Probably some non-sysop accounts also had blanks.

Affected accounts can reset the password by the automated e-mail password gadget
on the login form, unless of course they didn't put in an e-mail.

-- brion vibber (brion @ pobox.com)


_______________________________________________
foundation-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/foundation-l

signature.asc (257 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Password security

Jtkiefer
Brion Vibber wrote:

> I've disabled the ability to use blank passwords on wiki accounts.
>
> For a long time we treated accounts very laxly in this regard; there generally
> wasn't _that_ much reason to secure a casual account unless you were one of the
> tiny number of sysops.
>
> In recent years though the number of sysops has exploded, and we've added
> customization features like the user javascript which are cool but potentially
> really annoying if someone gets into your account and messes with them. As a
> small concession to security and accountability, it's time for blank passwords
> to go.
>
> While running some password security checks, I found that a handful of sysop
> accounts had blank passwords. Probably some non-sysop accounts also had blanks.
>
> Affected accounts can reset the password by the automated e-mail password gadget
> on the login form, unless of course they didn't put in an e-mail.
>
> -- brion vibber (brion @ pobox.com)
>
>  
I'm surprised that blank passwords were ever allowed since they are
probably the worst security you can make, even worse then setting your
password as password (I wonder how many editors have that as their
password).  Maybe in the future a more strict password security protocol
should be established and enforced, forcing password changes every x
days would be unduly burdensome but complexity requirements might be a
good idea especially since as you mentioned the adminship and the
community pool has enlarged greatly.

-Jtkiefer

p.s. any replies to this on wikitech-l please also forward to one of the
other lists or cc directly to me otherwise I will not get it as I am not
subscribed to that list.  Thanks.
_______________________________________________
foundation-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: [Wikipedia-l] Re: Password security

Brion Vibber
Jtkiefer wrote:
> I'm surprised that blank passwords were ever allowed since they are
> probably the worst security you can make,

Second only to letting anybody edit your web site. ;)

UseModWiki actually went so far as to allow you to create multiple user accounts
with the same user name...

> Maybe in the future a more strict password security protocol
> should be established and enforced, forcing password changes every x
> days would be unduly burdensome but complexity requirements might be a
> good idea especially since as you mentioned the adminship and the
> community pool has enlarged greatly.

I'm fiddling with some basic dictionary checks and such.

-- brion vibber (brion @ pobox.com)


_______________________________________________
foundation-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/foundation-l

signature.asc (257 bytes) Download Attachment