Brilliant, someone went rouge again today. Ryulong was blocked and the Main
Page deleted.
http://en.wikipedia.org/w/index.php?title=Wikipedia:Requests_for_adminship/…
67/0/0. How long until the perennial proposals start coming in? Well,
I'll start. When will desysopping long-inactive admins start to even be
considered? Anyone?
NSLE
I was listening to the radio this fine morning when Kim Komando's
Computer Minute came on ([[Kim Komando]]). She's had your common
untrusting-media-type take on Wikipedia, but I think we've come to
expect that. Anyway, she dropped an absolute bomb today about a very
"personal" matter. It seemed that she had been alerted to on-and-off
vandalism to her own article, Kim Komando, and that it was a lot of
work to get it fixed, and she was now warning that *you* or *your
organization* could be hit by hideous libel on Wikipedia next, etc,
etc. What really struck me, however, was her idea of Wikipedia's
"inherent flaw", which was letting anybody edit any page.
Isn't that the entire point of the project?
Or how about this: isn't that an inherent flaw of the entire Internet?
Anybody can buy a domain and say any horrible thing about anybody. I
think she (and the media by and large) is missing the big picture.
--Ryan
[[en:User:Merovingian]]
Would it be overkill from the perspective of the number of users/scope of
users to implement something that checked the strength of passwords as
entered? Some websites feature tools that report on the perceived strength
of your password as entered, typically from weak to decent to moderate to
good to strong, or similar wording.
Perhaps something like that, with the Wikimedia software having an option to
simply refuse acceptance of anything less than 'moderate' value? You can
have it check at each login, and in the event that it fails the 'moderate'
test, force a password change. Since you in turn can't now enter a crap
password, it will push everyone to add a decent password. Annoying, once,
but after that... all users are covered, and this should no longer require
constant monitoring afterwards (ideally).
--
Regards,
Joe
http://www.joeszilagyi.com
>Anyone,
>Same thread - different question. This message has been placed on my Watch
>List Page: "For your own security, please choose a secure password." I went
>ahead and did change my password to a longer, mixed case one. Will this
>message eventually disappear, or is it telling me I still need to change to
>to something more secure?
>Just asking,
>Marc Riddell
I don't know if this has been answered already, but I'm answering again if
it has. I put that message up at [[MediaWiki:Watchdetails]] with intention
of it staying up 2-3 days, or long enough for the majority of regular users
to see it. It is a direct copy of the additions that were suggested and
implemented at [[MediaWiki talk:Signupend]].
--John Reaves
> -----Original Message-----
> From: Larry Pieniazek [mailto:lar@miltontrainworks.com]
> Sent: Tuesday, May 08, 2007 1:31 PM
> To: 'wikien-l(a)lists.wikimedia.org'
> Subject: Password checking
>
> Todd might or might not be willing to share this code (it's not GFDL
> at this time)...
This should have said GPL not GFDL, sorry about that! And as it turns out,
the code IS GPL and thus theoretically available if there is interest. I can
put whomever in touch with the right people.
> But there ARE better password checkers out there.
(that was just one example... It's better than something that thinks that
password123456 is okish :) )
Larry Pieniazek
Work mail: lpieniaz at us.ibm.com
Hobby mail: lar at miltontrainworks.com
> Date: Tue, 8 May 2007 16:29:31 +0100
> From: geni <geniice(a)gmail.com>
> Subject: Re: [WikiEN-l] Feasible security idea for login? (was: Admin
> account cracker about to be run internally)
<
> So far every password testing website the IRC crew tested rated
> Password123456 as at least moderate.
> --
> geni
Try this checker
http://www.lugnet.com/people/members/pwsa/
It rates password123456 as weak and says why...
Appraisal: Weak (FAIL)
Weaknesses:
* Highly risky:
o Numeric sequence 123456
o Keyboard row sequence 123456
o Keyboard neighbor sequence 123456
o Ascending ASCII sequence 123456
* Mildly risky:
o Absent of any special characters (non-alphanumeric)
o Dictionary words: 123456, 12345, password, sword
* Slightly risky:
o Character run ss
o Absent of any capital letters A-Z
o Numeric sequence 123456 (from 123456)
o Numeric sequence 55 (from ss)
o Dictionary words: 1234, 123, 234, 3456, asg (from 456), ass,
asw, diz (from d12), dize (from d123), drow (from word), eas (from 345),
easg (from 3456), ehs (from 345), ize (from 123), lze (from 123), ord, pas,
pass, rdi (from rd1), rdl (from rd1), rows (from swor), saez (from 2345),
shez (from 2345), ssap (from pass), ssw, swo, swor, wor, word, zea (from
234), zeh (from 234), zehs (from 2345)
Estimate of overall strength: -609%
That's not at all an acceptable rating from that checker and lugnet will not
let you use password123456 as a password unless you check a box saying that
you accept that it's sucky.
Todd might or might not be willing to share this code (it's not GFDL at this
time)... But there ARE better password checkers out there.
Larry Pieniazek
Work mail: lpieniaz at us.ibm.com
Hobby mail: lar at miltontrainworks.com
I realize that it cannot be taken out of mailboxes once it was delivered. I
wonder whether it cannot be removed from our own records, such as the May 2007
archive.
Danny
************************************** See what's free at http://www.aol.com.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
As noted in other threads on several mailing lists, a few admin accounts
on en.wikipedia have been compromised recently, used to vandalize
high-traffic protected pages.
We're starting to roll out some additional protections against
password-guessing attacks, including but not limited to:
* Additional logging to better detect dictionary-style attacks
* Speed-bump measures against multiple failed logins
[But not that should DoS legitimate users. The traditional "lock out the
account after three tries" would make it trivial to lock out all the
site's sysops -- not wise. :)]
* Weak-password checks on existing sysops on our largest sites. Several
accounts have had their weak passwords invalidated and will need to
reset by mail before logging in again.
* Several targeted blocks against known cracking attempts.
Over the coming days we will additionally be rolling out more automated
password-strength checkers at login / set-password / change-password
time to reduce the danger of guessable passwords.
Please distribute this information as appropriate to your local
projects/languages.
- -- brion vibber (brion @ wikimedia.org)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGP6WDwRnhpk1wk44RApO6AJ9q8MXXhYbVAT9+YoTOZgFwv56YbwCdH2MU
ysd+CDuI1knUHJaD1jd8wUo=
=FGTh
-----END PGP SIGNATURE-----
> Do you realize how ludicrous what you're saying is, though? Can the
> **AA sue the telephone company if I read the key over the telephone?
> Can they sue Fedex if I ship the key through their service?
Can they sue? Sure. Would they win? Probably not. Remember the old adage that when a lawyer throws a party he likes to invite everyone.
The trick is finding that happy medium between a careless risk of litigation and absolute paranoia. It's not easy.
JB
> _______________________________________________
> WikiEN-l mailing list
> WikiEN-l(a)lists.wikimedia.org
> To unsubscribe from this mailing list, visit:
> http://lists.wikimedia.org/mailman/listinfo/wikien-l
>