Readable and easy to remember passwords

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|

Readable and easy to remember passwords

John Ky
Hello,

Is it possible to make Mediawiki generate readable and easy to
remember passwords?  ie. avoiding confusion between 1 and l, and using
combinations of letters that are pronouncable?

Thanks

-John
_______________________________________________
Wikitech-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Readable and easy to remember passwords

Gerard Meijssen-3
John Ky wrote:
> Hello,
>
> Is it possible to make Mediawiki generate readable and easy to
> remember passwords?  ie. avoiding confusion between 1 and l, and using
> combinations of letters that are pronouncable?
>
> Thanks
>
> -John
Hoi,
There is a difference between if MediaWiki could generate passwords and
if it should. When there is an engine that generates passwords, this
same engine could be used to generate passwords for an attack. Choosing
passwords is the end-users responsibility. It is exactly by choosing a 1
in stead of an l that a brute force attack becomes slightly more
problematic.

The other thing to consider is that when MW starts generating passwords,
they will then be based on English ?? Bad idea when people use other
languages like Hindi or Russian.. At that the captchas doing English
words is not that great an idea (though it is convenient for me).

Thanks,
    GerardM
_______________________________________________
Wikitech-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Readable and easy to remember passwords

John Ky
Hi Gerard,

The issue isn't whether it could or should generate passwords because
it already does generate passwords.  The "E-mail password"
functionality people use when they forget their password already
generates a new password.  I am asking if the generated password can
be made easier to remember.  The criteria I'm asking for isn't whether
the generated passwords should be English, but whether they should be
pronouncable - for instance "jimperbolt" or "paldyacktor" instead of
"tN2HcQm".

-John

On 9/2/06, Gerard Meijssen <[hidden email]> wrote:

> John Ky wrote:
> > Hello,
> >
> > Is it possible to make Mediawiki generate readable and easy to
> > remember passwords?  ie. avoiding confusion between 1 and l, and using
> > combinations of letters that are pronouncable?
> >
> > Thanks
> >
> > -John
> Hoi,
> There is a difference between if MediaWiki could generate passwords and
> if it should. When there is an engine that generates passwords, this
> same engine could be used to generate passwords for an attack. Choosing
> passwords is the end-users responsibility. It is exactly by choosing a 1
> in stead of an l that a brute force attack becomes slightly more
> problematic.
>
> The other thing to consider is that when MW starts generating passwords,
> they will then be based on English ?? Bad idea when people use other
> languages like Hindi or Russian.. At that the captchas doing English
> words is not that great an idea (though it is convenient for me).
>
> Thanks,
>     GerardM
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> http://mail.wikipedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Readable and easy to remember passwords

Brion Vibber
In reply to this post by John Ky
John Ky wrote:
> Is it possible to make Mediawiki generate readable and easy to
> remember passwords?  ie. avoiding confusion between 1 and l, and using
> combinations of letters that are pronouncable?

Really it shouldn't be generating passwords ever. :)

In the cases where it does generate a password, this should be changed to a
temporary code that lets you get in just far enough to set your own password.

Among other things, this would ensure that people don't have all their account
passwords sitting in their e-mail archives for any opportunist to type
"password" into their Gmail search...

-- brion vibber (brion @ pobox.com)


_______________________________________________
Wikitech-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikitech-l

signature.asc (257 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Readable and easy to remember passwords

John Ky
Hi Brion,

Yes, I would prefer that solution the most.  Will it make its way into
the software?

-John

On 9/2/06, Brion Vibber <[hidden email]> wrote:

> Really it shouldn't be generating passwords ever. :)
>
> In the cases where it does generate a password, this should be changed to a
> temporary code that lets you get in just far enough to set your own password.
>
> Among other things, this would ensure that people don't have all their account
> passwords sitting in their e-mail archives for any opportunist to type
> "password" into their Gmail search...
>
> -- brion vibber (brion @ pobox.com)
_______________________________________________
Wikitech-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Readable and easy to remember passwords

Steve Bennett-4
In reply to this post by Gerard Meijssen-3
On 9/2/06, Gerard Meijssen <[hidden email]> wrote:
>
> There is a difference between if MediaWiki could generate passwords and
> if it should. When there is an engine that generates passwords, this
> same engine could be used to generate passwords for an attack. Choosing
> passwords is the end-users responsibility. It is exactly by choosing a 1
> in stead of an l that a brute force attack becomes slightly more
> problematic.



Heh, check the passwords that most people use, I bet you find they're all
"puppy" and "susie".

Steve
_______________________________________________
Wikitech-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Readable and easy to remember passwords

Stephen Bain
On 9/3/06, Steve Bennett <[hidden email]> wrote:
>
> Heh, check the passwords that most people use, I bet you find they're all
> "puppy" and "susie".

IIRC, either Brion or Tim did some checking a while ago and found that
many people did indeed have very short passwords. I can't find the
message however, it may have had something to do with single sign-in
stuff.

I do know that the ability to have an empty password was only switched
off in January this year:
http://mail.wikipedia.org/pipermail/wikitech-l/2006-January/033833.html

--
Stephen Bain
[hidden email]
_______________________________________________
Wikitech-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Readable and easy to remember passwords

Leon Weber
Stephen Bain schrieb:

> On 9/3/06, Steve Bennett <[hidden email]> wrote:
>  
>> Heh, check the passwords that most people use, I bet you find they're all
>> "puppy" and "susie".
>>    
>
> IIRC, either Brion or Tim did some checking a while ago and found that
> many people did indeed have very short passwords. I can't find the
> message however, it may have had something to do with single sign-in
> stuff.
They shouldn't be able to check this, since passwords are stored as
md5-hashes in the DB, no?
-- Leon
_______________________________________________
Wikitech-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Readable and easy to remember passwords

Stephen Bain
On 9/3/06, Leon Weber <[hidden email]> wrote:
>
> They shouldn't be able to check this, since passwords are stored as
> md5-hashes in the DB, no?

I believe that it was some basic dictionary checking, conducted by a
script that simply reported whether or not a given common word was
being used as a password. The data produced was not linked to any
accounts.

--
Stephen Bain
[hidden email]
_______________________________________________
Wikitech-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Readable and easy to remember passwords

Rob Church
In reply to this post by Leon Weber
On 03/09/06, Leon Weber <[hidden email]> wrote:
> They shouldn't be able to check this, since passwords are stored as
> md5-hashes in the DB, no?

I recall coming across a page somewhere where Tim posted a list of all
users who appeared to be using the same password; this was a long time
ago, before salted hashing, I guess...

...your own conclusions draw you shall. :) Incidentally, the page was
blanked, deleted etc. and Brion was not a happy system admin. This is
also no longer possible to determine since we salt password hashes, so
Don't Panic.


Rob Church
_______________________________________________
Wikitech-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Readable and easy to remember passwords

Angela-5
On 9/3/06, Rob Church <[hidden email]> wrote:
> I recall coming across a page somewhere where Tim posted a list of all
> users who appeared to be using the same password; this was a long time
> ago, before salted hashing, I guess...

Mostly users suspected of being Lir's sockpuppets, not all users.
http://it.slashdot.org/article.pl?sid=05/05/31/172233

Angela.
_______________________________________________
Wikitech-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Readable and easy to remember passwords

Rob Church
On 03/09/06, Angela <[hidden email]> wrote:
> Mostly users suspected of being Lir's sockpuppets, not all users.
> http://it.slashdot.org/article.pl?sid=05/05/31/172233

Yes, well, whatever; nobody cares now. Grevious violation of privacy,
etc, etc. slap on wrist - all administered at the time. I mentioned it
as a point of interest.


Rob Church
_______________________________________________
Wikitech-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Readable and easy to remember passwords

Gerard Meijssen-3
In reply to this post by Steve Bennett-4
Steve Bennett wrote:

> On 9/2/06, Gerard Meijssen <[hidden email]> wrote:
>  
>> There is a difference between if MediaWiki could generate passwords and
>> if it should. When there is an engine that generates passwords, this
>> same engine could be used to generate passwords for an attack. Choosing
>> passwords is the end-users responsibility. It is exactly by choosing a 1
>> in stead of an l that a brute force attack becomes slightly more
>> problematic.
>>    
>
>
>
> Heh, check the passwords that most people use, I bet you find they're all
> "puppy" and "susie".
>
> Steve
Hoi,
No, they are all "secret".
GerardM
_______________________________________________
Wikitech-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Readable and easy to remember passwords

Steve Bennett-4
In reply to this post by Stephen Bain
On 9/3/06, Stephen Bain <[hidden email]> wrote:
> IIRC, either Brion or Tim did some checking a while ago and found that
> many people did indeed have very short passwords. I can't find the
> message however, it may have had something to do with single sign-in
> stuff.
>
> I do know that the ability to have an empty password was only switched
> off in January this year:

We should probably bear in mind we're talking about wikis here, not
bank accounts or anything especailly confidential.

Steve
_______________________________________________
Wikitech-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Readable and easy to remember passwords

Gerard Meijssen-3
Steve Bennett wrote:

> On 9/3/06, Stephen Bain <[hidden email]> wrote:
>  
>> IIRC, either Brion or Tim did some checking a while ago and found that
>> many people did indeed have very short passwords. I can't find the
>> message however, it may have had something to do with single sign-in
>> stuff.
>>
>> I do know that the ability to have an empty password was only switched
>> off in January this year:
>>    
>
> We should probably bear in mind we're talking about wikis here, not
> bank accounts or anything especailly confidential.
>
> Steve
Hoi,
Without the benefit of an old thread it is a very cryptic remark.
However, from a basic point of view without sufficiently secure
passwords the notion of confidentially is severely diminished. You only
consider our present requirements and with Wikiversity they WILL change.
Also with the upcoming single login we will have one password for
everything. If anything suggesting that "easy to remember passwords" are
a good thing is something I do not share with you. I would not accept
the liability that follows from bad practice when this bad practice is
promoted by us as an organisation.

When people select their own passwords then it is their business to
select something suitable. Given that people often do not have secure
passwords, I would suggest using stronger authentication when our needs
change.
Thanks,
    GerardM
_______________________________________________
Wikitech-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Readable and easy to remember passwords

Gregory Maxwell
In reply to this post by Brion Vibber
On 9/2/06, Brion Vibber <[hidden email]> wrote:
> Really it shouldn't be generating passwords ever. :)
>
> In the cases where it does generate a password, this should be changed to a
> temporary code that lets you get in just far enough to set your own password.
>
> Among other things, this would ensure that people don't have all their account
> passwords sitting in their e-mail archives for any opportunist to type
> "password" into their Gmail search...

If you ever do get convinced to generate easier passwords..  Please
look at the S/KEY password system. Each phrase encodes 64bits.. which
is far better than any passwords that humans are going to generate
(killing gerardm's argument).

The problem with any such system is that the password is only easy for
people who speak the right language..

What do the folks at the RTL middle eastern languages think of our captchas btw?
_______________________________________________
Wikitech-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Readable and easy to remember passwords

Simetrical
In reply to this post by Steve Bennett-4
On 9/11/06, Steve Bennett <[hidden email]> wrote:
> We should probably bear in mind we're talking about wikis here, not
> bank accounts or anything especailly confidential.

Sysops can add arbitrary JavaScript to the page.  There are over a
thousand on enwiki alone.

On 9/11/06, Gerard Meijssen <[hidden email]> wrote:
> If anything suggesting that "easy to remember passwords" are
> a good thing is something I do not share with you.

"Easy to remember" is different from "easy to guess", although of
course the intersection of the two is large.
_______________________________________________
Wikitech-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Readable and easy to remember passwords

Rotem Liss-2
In reply to this post by Gregory Maxwell
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gregory Maxwell wrote:
> What do the folks at the RTL middle eastern languages think of our captchas btw?
>

In the Hebrew projects, it is not enabled in Wikipedia, and the users in the
other projects didn't complain. Most users speak English, or can recognise
English letters.

Sadly, I don't know much about the other RTL projects.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org

iD8DBQFFBptzqahN/0dU8mcRAgzhAKDOHuCtnZRaeuvZ9ibshkwwI98e1ACgzPIn
U9Wwm01t60vJrjVeUT5FCh0=
=Gi6e
-----END PGP SIGNATURE-----
_______________________________________________
Wikitech-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Readable and easy to remember passwords

Platonides

Rotem Liss wrote:
> Gregory Maxwell wrote:
>> What do the folks at the RTL middle eastern languages think of our
>> captchas btw?
>>
>
> In the Hebrew projects, it is not enabled in Wikipedia, and the users in
> the
> other projects didn't complain. Most users speak English, or can recognise
> English letters.

Commons does have it enabled, and it's for all wikies. Plus i have read
complaints about it. This captchas are 'made for english people' which can
be good or bad.



_______________________________________________
Wikitech-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikitech-l