[Wikipedia-l] Re: Password security

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[Wikipedia-l] Re: Password security

Tomasz Wegrzanowski
brion vibber (brion @ pobox.com) wrote:
> Tomasz Wegrzanowski wrote:
>> So, while dictionary-checking sysops' passwords make a lot of sense,
>> there's very little point in limiting passwords of the
non-privileged accounts.
>
> At the moment we don't have a separate switch for sysops, nor any control which
> would prevent blank-password accounts from being made into sysops. I'd rather
> risk disabling a few accounts temporarily than keep the incredibly dangerous
> sysop accounts open (which could be used potenially to great destructive effect).

Could you elaborate on the "temporarily" part ?
_______________________________________________
Wikipedia-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikipedia-l
Reply | Threaded
Open this post in threaded view
|

[Wikipedia-l] Re: Re: Password security

Brion Vibber
Tomasz Wegrzanowski wrote:
> Could you elaborate on the "temporarily" part ?

Until I finish the force-user-to-change-password-on-next-login code. (Probably
tomorrow.)

-- brion vibber (brion @ pobox.com)


_______________________________________________
Wikipedia-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikipedia-l

signature.asc (257 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Re: Password security

Neil Harris
Brion Vibber wrote:

> Tomasz Wegrzanowski wrote:
>  
>> Could you elaborate on the "temporarily" part ?
>>    
>
> Until I finish the force-user-to-change-password-on-next-login code. (Probably
> tomorrow.)
>
> -- brion vibber (brion @ pobox.com)
>
>  
I agree, that's probably the right thing to do for non-sysop accounts.
(Although we should perhaps zap any that are not re-activated within
say, three months from now?)

Please keep the _sysop_ accounts with empty/trivial passwords blocked
indefinitely -- now people know they exist, they can easily be searched
for by any potential cracker, with potentially disastrous effects.

Perhaps some of these trivial-password sysop accounts could be
re-activated manually on request, if they have an E-mail address that
can be manually or automatically verified by an E-mail exchange with the
purported owner? Otherwise, it's going to be quite difficult ever to
verify ownership for these accounts, and they should probably remain
locked indefinitely.

-- Neil


_______________________________________________
Wikitech-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Re: Password security

Rob Church
> Please keep the _sysop_ accounts with empty/trivial passwords blocked
> indefinitely -- now people know they exist, they can easily be searched
> for by any potential cracker, with potentially disastrous effects.

Agreed.

> Perhaps some of these trivial-password sysop accounts could be
> re-activated manually on request, if they have an E-mail address that
> can be manually or automatically verified by an E-mail exchange with the
> purported owner? Otherwise, it's going to be quite difficult ever to
> verify ownership for these accounts, and they should probably remain
> locked indefinitely.

Tough. Besides, I fear it would be all too simple to reclaim ownership
of an account that wasn't yours by doing a nice little email exchange,
as described. How would you prove that you were that person? Too many
what-ifs.


Rob Church
_______________________________________________
Wikitech-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Re: Password security

Gregory Maxwell
On 1/31/06, Rob Church <[hidden email]> wrote:
> Tough. Besides, I fear it would be all too simple to reclaim ownership
> of an account that wasn't yours by doing a nice little email exchange,
> as described. How would you prove that you were that person? Too many
> what-ifs.

By simply knowing that you had a blank password you 'prove' that you
had access prior to the lockout (since Brion didn't post a list)..  
Of course if we get a bunch of requests for sysop accounts without
blank passwords...
_______________________________________________
Wikitech-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/wikitech-l