My staff email is boring. You're more than welcome to break in.
-Chad
On Aug 7, 2014 7:27 PM, "Pine W" <wiki.pine(a)gmail.com> wrote:
There are "good" reasons people would target
checkuser accounts, WMF staff
email accounts, and other accounts that have access to lots of private info
like functionary email accounts and accounts with access to restricted IRC
channels.
Pine
On Thu, Aug 7, 2014 at 11:21 AM, Ryan Lane <rlane32(a)gmail.com> wrote:
On Thu, Aug 7, 2014 at 6:58 AM, Casey Brown
<lists(a)caseybrown.org>
wrote:
On Thu, Aug 7, 2014 at 8:10 AM, Risker
<risker.wp(a)gmail.com> wrote:
A lot of the "solutions" normally
bandied about involve things like
two-factor identification, which has the "additional" password coming
through a separate route (e.g., gmail two-factor ID sends a second
password
as a text to a mobile) and means having more
expensive technology) or
using
technology like dongles that cannot be sent to
users in certain
countries.
Actually, most modern internet implementations use the TOTP algorithm
open standard that anyone can use for free.
<https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm>
One of the most common methods, other than through text messages, is
the Google Authenticator App that anyone can download for free on a
smart phone. <https://en.wikipedia.org/wiki/Google_Authenticator>.
Yep. This. It's already being used for high-risk accounts on
wikitech.wikimedia.org. It's not in good enough shape to be used
anywhere
else, since if you lose your device you'd
lose your account. Supporting
two
factor auth also requires supporting multiple
ways to rescue your account
if you lose your device (and don't write down your scratch tokens, which
is
common). Getting this flow to work in a way that
actually adds any
security
benefit is difficult. See the amount of effort
Google has gone through
for
this.
Let's be a little real here, though. There's honestly no good reason to
target these accounts. There's basically no major damage they can do and
there's very little private information accessible to them, so attackers
don't really care enough to attack them.
We should take basic account security seriously, but we shouldn't go
overboard.
- Ryan
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l