On Wed, 6 Aug 2014, at 21:49, Andre Klapper wrote: from what i could read and parse: use less of external things like skype and google accounts so that there is only 1 username for everything

On Wed, Aug 6, 2014 at 8:26 AM, Tyler Romeo <tylerromeo(a)gmail.com> wrote: Nice! I hadn't realized you had got so far on this. Maybe Ryan and I can get those merged in... To address Risker's comment, OATH is an open standard with lots of tools to generate the tokens, so you can use a secure token if you want to be more secure, or a browser plugin if you're just worried about someone stealing your password (which would significantly help our threat model in countries where we can't force https). Client TLS certificates are sadly really hard to manage in any sort of secure way, when you don't control the end user's machines.

On Aug 6, 2014 8:57 AM, "svetlana" <svetlana(a)fastmail.com.au> wrote: The solution to stolen credentials is to combine all credentials so that a single credential can control everything? --bawolff

As someone with one of those "high risk" accounts, one time passwords would be more likely to make me drop those permissions. Any administrator has a "high risk" account given the opportunities that they have. Risker/Anne On 7 August 2014 07:59, Pine W <wiki.pine(a)gmail.com> wrote:

On 7 August 2014 10:49, Chad <innocentkiller(a)gmail.com> wrote: Oh I have no problem with regular forced password changes, say quarterly or so; I'm used to that in other contexts. But not a one-time password, which will actually increase risk because people will choose "keep me logged in" to avoid having to get a new password every time they want to log in. These tend also to be solutions coming from moneyed countries, and some of these things involve technology that is not globally available. Risker/Anne

On 7 August 2014 12:04, Brian Wolff <bawolff(a)gmail.com> wrote: A lot of the "solutions" normally bandied about involve things like two-factor identification, which has the "additional" password coming through a separate route (e.g., gmail two-factor ID sends a second password as a text to a mobile) and means having more expensive technology) or using technology like dongles that cannot be sent to users in certain countries. I stick to my strong passwords and also subscribe to the xkcd password theory.[1] Risker/Anne [1] https://www.xkpasswd.net/c/index.cgi

On Thu, Aug 7, 2014 at 6:58 AM, Casey Brown <lists(a)caseybrown.org> wrote: Yep. This. It's already being used for high-risk accounts on wikitech.wikimedia.org. It's not in good enough shape to be used anywhere else, since if you lose your device you'd lose your account. Supporting two factor auth also requires supporting multiple ways to rescue your account if you lose your device (and don't write down your scratch tokens, which is common). Getting this flow to work in a way that actually adds any security benefit is difficult. See the amount of effort Google has gone through for this. Let's be a little real here, though. There's honestly no good reason to target these accounts. There's basically no major damage they can do and there's very little private information accessible to them, so attackers don't really care enough to attack them. We should take basic account security seriously, but we shouldn't go overboard. - Ryan

On Thu, Aug 7, 2014 at 11:27 AM, Pine W <wiki.pine(a)gmail.com> wrote: WMF uses gmail; they should force-require the use of two factor authentication for their employees if they care about that. Restricted IRC channels also don't have anything to do with Wikimedia wiki account security (and IRC security is a joke anyway, so if we're really relying on that to be secure, shame on us). - Ryan

My staff email is boring. You're more than welcome to break in. -Chad On Aug 7, 2014 7:27 PM, "Pine W" <wiki.pine(a)gmail.com> wrote:

Hm... and I am a lazy hacker, so now when you told us your password, could you please give me your username as well so that I don't have to search it? Thanks! :P On Thu, Aug 7, 2014 at 11:49 AM, Chad <innocentkiller(a)gmail.com> wrote:

I think a two-way-authentification is the first, good step to increase the security for account authentification, like wikitech still use it. But it's still a user decision to activate i tor not? Freundliche Grüße / Kind regards Florian -----Ursprüngliche Nachricht----- Von: wikitech-l-bounces(a)lists.wikimedia.org [mailto:wikitech-l-bounces@lists.wikimedia.org] Im Auftrag von Risker Gesendet: Donnerstag, 7. August 2014 10:50 An: Wikimedia developers Betreff: Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords As someone with one of those "high risk" accounts, one time passwords would be more likely to make me drop those permissions. Any administrator has a "high risk" account given the opportunities that they have. Risker/Anne On 7 August 2014 07:59, Pine W <wiki.pine(a)gmail.com> wrote: _______________________________________________ Wikitech-l mailing list Wikitech-l(a)lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l

On Thursday, August 7, 2014, Brian Wolff &lt;bawolff(a)gmail.com&gt; wrote: I've long wondered about that. Are there really no browser based public key based solutions? Are there any fundamental reasons why that is like that other than that it never got implemented, or never became popular? It seems like the "right" solution for the password problem. -Martijn > On 8/7/14, Pine W &lt;wiki.pine(a)gmail.com <javascript:;>> wrote: > > I think we should start looking at alternative authentication systems > > especially for high risk accounts. There are several variations on the > > theme of one-time passwords that I think could bd explored. > > > > Pine > > On Aug 6, 2014 11:05 PM, "Brian Wolff" &lt;bawolff(a)gmail.com <javascript:;>> > wrote: > > > >> On Aug 6, 2014 8:57 AM, "svetlana" &lt;svetlana(a)fastmail.com.au > <javascript:;>> wrote: > >> > > >> > On Wed, 6 Aug 2014, at 21:49, Andre Klapper wrote: > >> > > On Tue, 2014-08-05 at 22:05 -0700, Pine W wrote: > >> > > > After reading this [1] I am wondering if Wikimedia should start > >> taking > >> > > > steps to reduce reliance on usernames and passwords. > >> > > > >> > > What "steps" do you refer to, or is this intentionally vague? > >> > > Disallowing usernames and logins? > >> > > Two-step authentication/verification? > >> > > Something else? > >> > > > >> > > andre > >> > > >> > from what i could read and parse: > >> > use less of external things like skype and google accounts > >> > so that there is only 1 username for everything > >> > > >> > > >> > >> The solution to stolen credentials is to combine all credentials so > that a > >> single credential can control everything? > >> > >> >> _______________________________________________ > >> Wikitech-l mailing list > >> Wikitech-l(a)lists.wikimedia.org <javascript:;> > >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > _______________________________________________ > > Wikitech-l mailing list > > Wikitech-l(a)lists.wikimedia.org <javascript:;> > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > _______________________________________________ > Wikitech-l mailing list > Wikitech-l(a)lists.wikimedia.org <javascript:;> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l

I think TLS has a feature where the client can also provide a certificate, in order to use certificates to authenticate users. I've never heard of a site actually using it. --bawolff

On Thu, Aug 7, 2014 at 6:01 AM, Brian Wolff &lt;bawolff(a)gmail.com&gt; wrote: Indeed. https://www.mediawiki.org/wiki/Extension:SSLClientAuthentication *-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science