Re: [Wikitech-l] Password security

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [Wikitech-l] Password security

Tomasz Wegrzanowski
brion vibber (brion @ pobox.com) wrote:

> I've disabled the ability to use blank passwords on wiki accounts.
>
> For a long time we treated accounts very laxly in this regard; there generally
> wasn't _that_ much reason to secure a casual account unless you were one of the
> tiny number of sysops.
>
> In recent years though the number of sysops has exploded, and we've added
> customization features like the user javascript which are cool but potentially
> really annoying if someone gets into your account and messes with them. As a
> small concession to security and accountability, it's time for blank passwords
> to go.
>
> While running some password security checks, I found that a handful of sysop
> accounts had blank passwords. Probably some non-sysop accounts also had blanks.
>
> Affected accounts can reset the password by the automated e-mail
> password gadget on the login form, unless of course they didn't put in an e-mail.

This is seriously wrong. It should be completely reversed.

A lot of people have just lost their account because of this,
and it wasn't even announced that it was coming.
This part of the problem could be reduced if the change was
announced in advance.

However, that's not the full problem.
Many people use blank or trival passwords and don't give their emails.
This is completely reasonable, as it's very hard to remember just
another password (and reusing passwords on different websites is about
as bad as having none),
and even if spamming wasn't a problem, why the heck would any website
need their email in the first place ?

So, while dictionary-checking sysops' passwords make a lot of sense,
there's very little point in limiting passwords of the non-privileged accounts.

(and yeah, /me just lost 2 (rarely used) accounts on fr.wp and de.wp)
_______________________________________________
Wikitech-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Re: [Wikitech-l] Password security

Brion Vibber
Tomasz Wegrzanowski wrote:
> So, while dictionary-checking sysops' passwords make a lot of sense,
> there's very little point in limiting passwords of the non-privileged accounts.

At the moment we don't have a separate switch for sysops, nor any control which
would prevent blank-password accounts from being made into sysops. I'd rather
risk disabling a few accounts temporarily than keep the incredibly dangerous
sysop accounts open (which could be used potenially to great destructive effect).

-- brion vibber (brion @ pobox.com)


_______________________________________________
Wikipedia-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikipedia-l

signature.asc (257 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Re: [Wikitech-l] Password security

Gregory Maxwell
On 1/30/06, Brion Vibber <[hidden email]> wrote:
> Tomasz Wegrzanowski wrote:
> > So, while dictionary-checking sysops' passwords make a lot of sense,
> > there's very little point in limiting passwords of the non-privileged accounts.
>
> At the moment we don't have a separate switch for sysops, nor any control which
> would prevent blank-password accounts from being made into sysops. I'd rather
> risk disabling a few accounts temporarily than keep the incredibly dangerous
> sysop accounts open (which could be used potenially to great destructive effect).

Take your list of users with blank passwords. Import into database.
Join with the groups table to turn it into sysops.. use that as a
subselect in an update query to blank the password hash field on those
users. Done.

I'd just write the statement off the top of my head, but I'm not used
to dealing with those field. :)
_______________________________________________
Wikipedia-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikipedia-l
Reply | Threaded
Open this post in threaded view
|

Re: Re: [Wikitech-l] Password security

Andrew Gray
In reply to this post by Tomasz Wegrzanowski
On 31/01/06, Tomasz Wegrzanowski <[hidden email]> wrote:

> A lot of people have just lost their account because of this,
> and it wasn't even announced that it was coming.
> This part of the problem could be reduced if the change was
> announced in advance.

It strikes me that announcing in advance "Hey, guys, a number of
accounts INCLUDING n SYSOPS have blank passwords and can easily be
taken over..", then not fixing it for a while, is a recipe for
disaster. It's not that hard to generate a list of users with admin
privileges, and presumably neither is it impossible to write a short
script to try 800 logins...

--
- Andrew Gray
  [hidden email]
_______________________________________________
Wikipedia-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikipedia-l
Reply | Threaded
Open this post in threaded view
|

Re: Re: [Wikitech-l] Password security

Brion Vibber
Andrew Gray wrote:

> On 31/01/06, Tomasz Wegrzanowski <[hidden email]> wrote:
>> A lot of people have just lost their account because of this,
>> and it wasn't even announced that it was coming.
>> This part of the problem could be reduced if the change was
>> announced in advance.
>
> It strikes me that announcing in advance "Hey, guys, a number of
> accounts INCLUDING n SYSOPS have blank passwords and can easily be
> taken over..", then not fixing it for a while, is a recipe for
> disaster.
Bingo.

-- brion vibber (brion @ pobox.com)


_______________________________________________
Wikipedia-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikipedia-l

signature.asc (257 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [Wikitech-l] Password security

Walter Vermeir-2
In reply to this post by Andrew Gray
Andrew Gray <shimgray@...> writes:
> It strikes me that announcing in advance "Hey, guys, a number of
> accounts INCLUDING n SYSOPS have blank passwords and can easily be
> taken over..", then not fixing it for a while, is a recipe for
> disaster. It's not that hard to generate a list of users with admin
> privileges, and presumably neither is it impossible to write a short
> script to try 800 logins...

But there can not be many sysop or higher accounts with no password (I hope).

Using no password, especially when you are sysop is highly irresponsible and
those users should be de-sysoped.

When there are no accounts left that are anything else then normal users then
blank password could be enabled again for 2 weeks or so to give those users the
time to pick a password.

How can users who have no access anymore to there account regain access Brion?

Make a bugzilla ticket?

Walter

_______________________________________________
Wikipedia-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikipedia-l
Reply | Threaded
Open this post in threaded view
|

Re: Re: [Wikitech-l] Password security

Alphax (Wikipedia email)
Walter Vermeir wrote:

> Andrew Gray <shimgray@...> writes:
>
>>It strikes me that announcing in advance "Hey, guys, a number of
>>accounts INCLUDING n SYSOPS have blank passwords and can easily be
>>taken over..", then not fixing it for a while, is a recipe for
>>disaster. It's not that hard to generate a list of users with admin
>>privileges, and presumably neither is it impossible to write a short
>>script to try 800 logins...
>
>
> But there can not be many sysop or higher accounts with no password (I hope).
>
> Using no password, especially when you are sysop is highly irresponsible and
> those users should be de-sysoped.
>
> When there are no accounts left that are anything else then normal users then
> blank password could be enabled again for 2 weeks or so to give those users the
> time to pick a password.
>
> How can users who have no access anymore to there account regain access Brion?
>
> Make a bugzilla ticket?
>
There are certainly sysops on en: who don't have email addresses entered
- should /they/ be desysopped?

There are certainly plenty of people who haven't entered email
addresses, and complain "I've lost my password, can you reset it for me"
- but how can we be sure that they are the owner of the account, if they
never entered an email address?

One solution, possibly not the best, is to force people to enter an
email address, and send an "activation token" to that address. At
present email is the only way people have of recovering passwords; we
need to either give them another way, or make email part of the signup
process.

--
Alphax - http://en.wikipedia.org/wiki/User:Alphax
Contributor to Wikipedia, the Free Encyclopedia
"We make the internet not suck" - Jimbo Wales
Public key: http://en.wikipedia.org/wiki/User:Alphax/OpenPGP

_______________________________________________
Wikipedia-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikipedia-l

signature.asc (568 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Re: [Wikitech-l] Password security

Caroline Ford
I think they should be de-sysopped - they've put the project at massive
risk..

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Alphax (Wikipedia
email)
Sent: 03 February 2006 03:52
To: [hidden email]
Subject: Re: [Wikipedia-l] Re: [Wikitech-l] Password security

Walter Vermeir wrote:

> Andrew Gray <shimgray@...> writes:
>
>>It strikes me that announcing in advance "Hey, guys, a number of
>>accounts INCLUDING n SYSOPS have blank passwords and can easily be
>>taken over..", then not fixing it for a while, is a recipe for
>>disaster. It's not that hard to generate a list of users with admin
>>privileges, and presumably neither is it impossible to write a short
>>script to try 800 logins...
>
>
> But there can not be many sysop or higher accounts with no password (I
hope).
>
> Using no password, especially when you are sysop is highly
> irresponsible and those users should be de-sysoped.
>
> When there are no accounts left that are anything else then normal
> users then blank password could be enabled again for 2 weeks or so to
> give those users the time to pick a password.
>
> How can users who have no access anymore to there account regain access
Brion?
>
> Make a bugzilla ticket?
>

There are certainly sysops on en: who don't have email addresses entered
- should /they/ be desysopped?

There are certainly plenty of people who haven't entered email addresses,
and complain "I've lost my password, can you reset it for me"
- but how can we be sure that they are the owner of the account, if they
never entered an email address?

One solution, possibly not the best, is to force people to enter an email
address, and send an "activation token" to that address. At present email is
the only way people have of recovering passwords; we need to either give
them another way, or make email part of the signup process.

--
Alphax - http://en.wikipedia.org/wiki/User:Alphax
Contributor to Wikipedia, the Free Encyclopedia "We make the internet not
suck" - Jimbo Wales Public key:
http://en.wikipedia.org/wiki/User:Alphax/OpenPGP

_______________________________________________
Wikipedia-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikipedia-l
Reply | Threaded
Open this post in threaded view
|

Re: Re: [Wikitech-l] Password security

Chris Jenkinson
In reply to this post by Walter Vermeir-2
Walter Vermeir wrote:
> Using no password, especially when you are sysop is highly irresponsible and
> those users should be de-sysoped.

I thought adminship was no big deal... ;)

Chris

--
Chris Jenkinson
[hidden email]

"Mistrust all in whom the impulse to punish is powerful."
  -- Friedrich Nietzsche, Thus Spoke Zarathustra
_______________________________________________
Wikipedia-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikipedia-l
Reply | Threaded
Open this post in threaded view
|

Re: Re: [Wikitech-l] Password security

The Cunctator
On 2/4/06, Chris Jenkinson <[hidden email]> wrote:
> Walter Vermeir wrote:
> > Using no password, especially when you are sysop is highly irresponsible and
> > those users should be de-sysoped.
>
> I thought adminship was no big deal... ;)
>
I personally think they should be lined up and shot.

Defend the citadel!
_______________________________________________
Wikipedia-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikipedia-l