Brion will get to it after his morning mail.
If you have a rubbish password, I suggest you change it to a good one right now!
- d.
On 5/7/07, David Gerard dgerard@gmail.com wrote:
Brion will get to it after his morning mail.
If you have a rubbish password, I suggest you change it to a good one right now!
- d.
Not sure why we would limit this to admin accounts only. Could we get Brion to also run this tool against future promoted users (have it continuously monitor the bureaucrat log)?
On 08/05/07, Charlotte Webb charlottethewebb@gmail.com wrote:
On 5/7/07, David Gerard dgerard@gmail.com wrote:
Brion will get to it after his morning mail. If you have a rubbish password, I suggest you change it to a good one right now!
Not sure why we would limit this to admin accounts only. Could we get Brion to also run this tool against future promoted users (have it continuously monitor the bureaucrat log)?
For casual readers, it doesn't matter that much. For admins, it really matters.
The devs are working on various sensible approaches to this problem.
- d.
Could we get Brion to also run this tool against future promoted users (have it continuously monitor the bureaucrat log)?
Seems like overkill. If crats simply ask successful candidates to confirm that they have a compliant password *before* sysopping them, then the problem is solved.
On 5/8/07, doc doc.wikipedia@ntlworld.com wrote:
Seems like overkill. If crats simply ask successful candidates to confirm that they have a compliant password *before* sysopping them, then the problem is solved.
If they just nod "yes" because they can't be bothered to change their passwords to something other than "fuckyou" or "Password1" or whatever, we will eventually be right back where we started.
I don't see how we could put much faith into a security measure that is no more sophisticated than "taking their word for it".
Charlotte Webb wrote:
On 5/8/07, doc doc.wikipedia@ntlworld.com wrote:
Seems like overkill. If crats simply ask successful candidates to confirm that they have a compliant password *before* sysopping them, then the problem is solved.
If they just nod "yes" because they can't be bothered to change their passwords to something other than "fuckyou" or "Password1" or whatever, we will eventually be right back where we started.
I don't see how we could put much faith into a security measure that is no more sophisticated than "taking their word for it".
WikiEN-l mailing list WikiEN-l@lists.wikimedia.org To unsubscribe from this mailing list, visit: http://lists.wikimedia.org/mailman/listinfo/wikien-l
We choose admins for their good judgment and trustworthiness. Whilst they may be unaware of password potential problems if we can't "take their word for it", when directly asked, then they should not be admins.
On 5/8/07, doc doc.wikipedia@ntlworld.com wrote:
We choose admins for their good judgment and trustworthiness. Whilst they may be unaware of password potential problems if we can't "take their word for it", when directly asked, then they should not be admins.
That is, at least, the theory.
In practice we choose admins for their persistence and friendliness.
Kelly
On 5/8/07, doc doc.wikipedia@ntlworld.com wrote:
We choose admins for their good judgment and trustworthiness.
I agree, but the community has their own set of standards which is less relevant.
if we can't "take their word for it", when directly asked, then they should not be admins.
I agree, but if we are not able to know for sure until after somebody borrows their account to delete the main page (or put tubgirl on the site notice), it's a pointless question to ask.
Of course there will always be those who will have an uncrackable password but go insane and cause the same problems. This will be unpreventable, but hopefully less common.
On 0, Charlotte Webb charlottethewebb@gmail.com scribbled:
On 5/8/07, doc doc.wikipedia@ntlworld.com wrote:
Seems like overkill. If crats simply ask successful candidates to confirm that they have a compliant password *before* sysopping them, then the problem is solved.
If they just nod "yes" because they can't be bothered to change their passwords to something other than "fuckyou" or "Password1" or whatever, we will eventually be right back where we started.
I don't see how we could put much faith into a security measure that is no more sophisticated than "taking their word for it".
As Reagan liked to say, 'Trust but verify.' What's wrong with taking their word for it and then periodically running the cracker whenever the servers are not busyy?
-- Gwern Inquiring minds want to know.
On 5/8/07, David Gerard dgerard@gmail.com wrote:
For casual readers, it doesn't matter that much. For admins, it really matters.
Right. Admins make all sorts of privileged actions virtually all of which can be trivially reverted while casual readers only select the board.... oh. hm.
On 5/8/07, Gregory Maxwell gmaxwell@gmail.com wrote:
On 5/8/07, David Gerard dgerard@gmail.com wrote:
For casual readers, it doesn't matter that much. For admins, it really
matters.
Right. Admins make all sorts of privileged actions virtually all of which can be trivially reverted while casual readers only select the board.... oh. hm.
Don't know what either of you is really getting at, but this is simply inaccurate. Admins have recourse to deleted revisions, which may contain much content in breach of the law, if it were published, rather than merely archived deleted revisions.
The board can not revoke the licencing of the content, so their actions are largely insignificant in terms of ability to cause any lasting harm at all, and unlike the adminship, there is a regular process for their continuous review and reconfirmation or replacement.
Now what was your point again?
-- Jussi-Ville Heiskanen, ~ [[User:Cimon Avaro]]
On 5/8/07, Gregory Maxwell gmaxwell@gmail.com wrote:
On 5/8/07, David Gerard dgerard@gmail.com wrote:
For casual readers, it doesn't matter that much. For admins, it really
matters.
Right. Admins make all sorts of privileged actions virtually all of which can be trivially reverted while casual readers only select the board.... oh. hm.
Yes, if an admin account gets compromised it can be reverted. We've seen that enough times already. The thing is, it's a pain. It takes administrator resources when it could easily be avoided by being more secure.
Mgm