On 26 October 2011 13:55, William Allen Simpson
<william.allen.simpson(a)gmail.com> wrote:
Many of these accounts have expired email, so I
don't see any notices.
Recently, one that has a current email sent me a notice that reads in
relevant part:
# Temporary password: YH2MnDD
#
# This temporary password will expire in 7 days.
# You should log in and choose a new password now. If someone else made this
# request, or if you have remembered your original password, and you no longer
# wish to change it, you may ignore this message and continue using your old
# password.
#
I use fairly long passwords with special characters (a 96 character set
including space). This replacement password is much more easily guessed.
The account could have been stolen within minutes or hours.
https://secure.wikimedia.org/wikipedia/en/wiki/Password_strength
(Merely 7 case insensitive alphanumeric characters is equivalent to only
40-bits of strength.)
Please update the password generator to use at least 17 characters, with
at least some punctuation! (Users reading the text might have trouble
noticing blanks, so don't use the space character.)
You do not seem to understand how they get access to your password
these days. Far fewer people try to get through the front door. Most
systems have methods against brute-forcing (e.g. waiting for 5 seconds
on every third wrong guess, etc.). So brute-forcing is not desirable
against the system you are trying to hack (unless you wish to deny it
service).
The most likely scenario is an attempt to obtain either the database
through SQL injections (probably tricky on a MediaWiki set up) or
through your cookie. Most systems use a system where the hashed
salted (I hope) password is saved in the cookie. Somehow getting your
cookie will allow them to bruteforce the hashed sum. Although,
depending on your system this can take from a few hours to a couple of
years.
Few systems are going to walk up to the front door and try to knock
itself in. Your system will discover the behaviour if it is clever
enough.