[Foundation-l] Password security notes

John Reaves johnreaveswp at gmail.com
Mon May 7 22:25:22 UTC 2007


I assume this has already been thought of, but steward accounts (as well as
all admin accounts) at Meta should be checked too.  A hacked steward account
would be a big problem.

--John Reaves

On 5/7/07, Jeff V. Merkey <jmerkey at wolfmountaingroup.com> wrote:
>
> Brion Vibber wrote:
>
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >As noted in other threads on several mailing lists, a few admin accounts
> >on en.wikipedia have been compromised recently, used to vandalize
> >high-traffic protected pages.
> >
> >We're starting to roll out some additional protections against
> >password-guessing attacks, including but not limited to:
> >
> >* Additional logging to better detect dictionary-style attacks
> >
> >* Speed-bump measures against multiple failed logins
> >[But not that should DoS legitimate users. The traditional "lock out the
> >account after three tries" would make it trivial to lock out all the
> >site's sysops -- not wise. :)]
> >
> >
> What you should do here is after three failed attempts **CHANGE** the
> password and email the new password
> to the affected account. Otherwise, the account is locked up. It will
> require people enter a valid email address, but oh well.
>
> Jeff
>
>
> _______________________________________________
> foundation-l mailing list
> foundation-l at lists.wikimedia.org
> http://lists.wikimedia.org/mailman/listinfo/foundation-l
>


More information about the foundation-l mailing list