Re: [Wikitech-l] Password security

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [Wikitech-l] Password security

Tomasz Wegrzanowski
brion vibber (brion @ pobox.com) wrote:

> I've disabled the ability to use blank passwords on wiki accounts.
>
> For a long time we treated accounts very laxly in this regard; there generally
> wasn't _that_ much reason to secure a casual account unless you were one of the
> tiny number of sysops.
>
> In recent years though the number of sysops has exploded, and we've added
> customization features like the user javascript which are cool but potentially
> really annoying if someone gets into your account and messes with them. As a
> small concession to security and accountability, it's time for blank passwords
> to go.
>
> While running some password security checks, I found that a handful of sysop
> accounts had blank passwords. Probably some non-sysop accounts also had blanks.
>
> Affected accounts can reset the password by the automated e-mail
> password gadget on the login form, unless of course they didn't put in an e-mail.

This is seriously wrong. It should be completely reversed.

A lot of people have just lost their account because of this,
and it wasn't even announced that it was coming.
This part of the problem could be reduced if the change was
announced in advance.

However, that's not the full problem.
Many people use blank or trival passwords and don't give their emails.
This is completely reasonable, as it's very hard to remember just
another password (and reusing passwords on different websites is about
as bad as having none),
and even if spamming wasn't a problem, why the heck would any website
need their email in the first place ?

So, while dictionary-checking sysops' passwords make a lot of sense,
there's very little point in limiting passwords of the non-privileged accounts.

(and yeah, /me just lost 2 (rarely used) accounts on fr.wp and de.wp)
_______________________________________________
Wikitech-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: [Wikipedia-l] Re: [Wikitech-l] Password security

Brion Vibber
Tomasz Wegrzanowski wrote:
> So, while dictionary-checking sysops' passwords make a lot of sense,
> there's very little point in limiting passwords of the non-privileged accounts.

At the moment we don't have a separate switch for sysops, nor any control which
would prevent blank-password accounts from being made into sysops. I'd rather
risk disabling a few accounts temporarily than keep the incredibly dangerous
sysop accounts open (which could be used potenially to great destructive effect).

-- brion vibber (brion @ pobox.com)


_______________________________________________
Wikipedia-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikipedia-l

signature.asc (257 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Re: [Wikitech-l] Password security

Robert S. Horning
In reply to this post by Tomasz Wegrzanowski
Tomasz Wegrzanowski wrote:

>brion vibber (brion @ pobox.com) wrote:
>  
>
>>While running some password security checks, I found that a handful of sysop
>>accounts had blank passwords. Probably some non-sysop accounts also had blanks.
>>
>>Affected accounts can reset the password by the automated e-mail
>>password gadget on the login form, unless of course they didn't put in an e-mail.
>>    
>>
>
>This is seriously wrong. It should be completely reversed.
>
>A lot of people have just lost their account because of this,
>and it wasn't even announced that it was coming.
>This part of the problem could be reduced if the change was
>announced in advance.
>
>  
>
For those users who do have e-mail addresses for their accounts, were
there any provisions done to try and send a simple e-mail to those users
asking them to update their accounts with stronger passwords?
 Especially sysops?

While I support the actions of Brian to try and strengthen the passwords
for user accounts, some internal notice should have been given in more
widely read forums, of which Wikitech-l and Foundation-l are not really
widely read forums for the typical Wikimedian.  Actually, I don't know
of a good place, although there are several places that would work to at
least notify a few more people than simply the e-mail lists.

I feel for Brian, however.  He is trying to secure the servers from
idiots and vandals when Wikimedia policies encourage idiots and vandals
to participate and wreck things.

--
Robert Scott Horning



_______________________________________________
foundation-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: Re: [Wikitech-l] Password security

Brion Vibber
Robert Scott Horning wrote:
> For those users who do have e-mail addresses for their accounts, were
> there any provisions done to try and send a simple e-mail to those users
> asking them to update their accounts with stronger passwords? Especially
> sysops?

For sysops I could track down, yes.

> While I support the actions of Brian to try and strengthen the passwords
> for user accounts, some internal notice should have been given in more
> widely read forums, of which Wikitech-l and Foundation-l are not really
> widely read forums for the typical Wikimedian.  Actually, I don't know
> of a good place, although there are several places that would work to at
> least notify a few more people than simply the e-mail lists.

I can't predict every possibly place people might read on hundreds of wikis,
hence my announcement on three mailing lists and the English Wikipedia Village
Pump. From there people are, I assume, still copying relevant announcements to
their local haunts.

-- brion vibber (brion @ pobox.com)


_______________________________________________
foundation-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/foundation-l

signature.asc (257 bytes) Download Attachment