Brilliant, someone went rouge again today. Ryulong was blocked and the Main Page deleted. http://en.wikipedia.org/w/index.php?title=Wikipedia:Requests_for_adminship/A... 67/0/0. How long until the perennial proposals start coming in? Well, I'll start. When will desysopping long-inactive admins start to even be considered? Anyone?
NSLE
On 5/6/07, NSLE (Wikipedia) nsle.wikipedia@gmail.com wrote:
Brilliant, someone went rouge again today. Ryulong was blocked and the Main Page deleted. http://en.wikipedia.org/w/index.php?title=Wikipedia:Requests_for_adminship/A... 67/0/0. How long until the perennial proposals start coming in? Well, I'll start. When will desysopping long-inactive admins start to even be considered? Anyone?
NSLE _______________________________________________ WikiEN-l mailing list WikiEN-l@lists.wikimedia.org To unsubscribe from this mailing list, visit: http://lists.wikimedia.org/mailman/listinfo/wikien-l
Well, now it only took 5 minutes ... 01:32, 7 May 2007 AndyZ (Talk | contribs | block) deleted "Main Page" (My password is password!) (Restore) 01:37, 7 May 2007 Drini (Talk | contribs | block) changed group membership for User:AndyZ@enwiki from sysop to (none) (rogue)
On 5/6/07, Pedro Sanchez pdsanchez@gmail.com wrote:
01:32, 7 May 2007 AndyZ (Talk | contribs | block) deleted "Main Page" (My password is password!) (Restore)
I suspect that somebody started trying to log into admin accounts with the password "password" until he found an admin using "password". What's scary is that if true he found one in the A's.
Would a 24 hour autoblock for x number of wrong passwords to any account within a certain period of time help prevent this kind of thing?
With proxies... probably useful, but not useful enough.
On 07/05/07, Ron Ritzman ritzman@gmail.com wrote:
On 5/6/07, Pedro Sanchez pdsanchez@gmail.com wrote:
01:32, 7 May 2007 AndyZ (Talk | contribs | block) deleted "Main Page" (My password is password!) (Restore)
I suspect that somebody started trying to log into admin accounts with the password "password" until he found an admin using "password". What's scary is that if true he found one in the A's.
Would a 24 hour autoblock for x number of wrong passwords to any account within a certain period of time help prevent this kind of thing?
WikiEN-l mailing list WikiEN-l@lists.wikimedia.org To unsubscribe from this mailing list, visit: http://lists.wikimedia.org/mailman/listinfo/wikien-l
On 5/6/07, Ron Ritzman ritzman@gmail.com wrote:
Would a 24 hour autoblock for x number of wrong passwords to any account within a certain period of time help prevent this kind of thing?
Oops, an autoblock wouldn't stop him from logging in and doing admin stuff. /me puts down the crack pipe.
Ron Ritzman wrote:
On 5/6/07, Ron Ritzman ritzman@gmail.com wrote:
Would a 24 hour autoblock for x number of wrong passwords to any account within a certain period of time help prevent this kind of thing?
Oops, an autoblock wouldn't stop him from logging in and doing admin stuff. /me puts down the crack pipe.
And it would create certain denial-of-service attack possibilities as well, so even if the block did prevent login, it wouldn't be such a good thing.
William
Pedro Sanchez wrote:
On 5/6/07, NSLE (Wikipedia) nsle.wikipedia@gmail.com wrote:
How long until the perennial proposals start coming in? Well, I'll start. When will desysopping long-inactive admins start to even be considered? Anyone?
Well, now it only took 5 minutes ... 01:32, 7 May 2007 AndyZ (Talk | contribs | block) deleted "Main Page" (My password is password!) (Restore) 01:37, 7 May 2007 Drini (Talk | contribs | block) changed group membership for User:AndyZ@enwiki from sysop to (none) (rogue)
Heh. If his password really was "password", perhaps running a password cracker against all the administrator passwords would be a good idea. As would https-based login, to reduce risk of password theft.
And now that I think about it, perhaps I'll go change my password before my RfA closes, just in case. :-)
William
Just to note, AmiDaniel has filed a bug report about the security of the login system. I particularly like the idea of using captchas after multiple attempts, to stop automated password cracking. The bug report is at http://bugzilla.wikimedia.org/show_bug.cgi?id=9816
--Michael Billington
On 5/6/07, Michael Billington michael.billington@gmail.com wrote:
Just to note, AmiDaniel has filed a bug report about the security of the login system. I particularly like the idea of using captchas after multiple attempts, to stop automated password cracking. The bug report is at http://bugzilla.wikimedia.org/show_bug.cgi?id=9816
--Michael Billington _______________________________________________ WikiEN-l mailing list WikiEN-l@lists.wikimedia.org To unsubscribe from this mailing list, visit: http://lists.wikimedia.org/mailman/listinfo/wikien-l
How about, "use a captcha for all login attempts"? Right now, we're having a ton of trouble with a sockmaster that
On 5/6/07, Todd Allen toddmallen@gmail.com wrote:
On 5/6/07, Michael Billington michael.billington@gmail.com wrote:
Just to note, AmiDaniel has filed a bug report about the security of the login system. I particularly like the idea of using captchas after multiple attempts, to stop automated password cracking. The bug report is at http://bugzilla.wikimedia.org/show_bug.cgi?id=9816
--Michael Billington _______________________________________________ WikiEN-l mailing list WikiEN-l@lists.wikimedia.org To unsubscribe from this mailing list, visit: http://lists.wikimedia.org/mailman/listinfo/wikien-l
How about, "use a captcha for all login attempts"? Right now, we're having a ton of trouble with a sockmaster that
-- Freedom is the right to know that 2+2=4. From this all else follows.
That cuts off my messages during sending, apparently. Meant to say he likes to bot through old accounts and find weak passwords, then use them to evade semiprotection on his vandalism targets. What could possibly be bad about a captcha, unless you're a login bot?
On 5/7/07, Todd Allen toddmallen@gmail.com wrote:
That cuts off my messages during sending, apparently. Meant to say he likes to bot through old accounts and find weak passwords, then use them to evade semiprotection on his vandalism targets. What could possibly be bad about a captcha, unless you're a login bot?
I've yet to meet a captcha that isn't a pain in the arse. Often they are too blurry for even humans to easily make out, they are long strings of nonsense (it isn't trivial to copy down "ecx76ns", it takes a few seconds), you can't quite see the difference between I and l (capital i and lower-case L, that is), and then if you do get it right it turns out that you mistyped your password and then you have to do it all over again.
That's the downside. I'm not to keen on having captchas for every login, but for repeat logins from the same IP, it does make a lot of sense.
I'd like to see some changes to the password system. As it is, there are *no* restrictions on allowed passwords, as long as it is at least one character in length.
Passwords should be /required/ to be at least six characters in length and contain at least one letter and one number. Most other popular sites do at least this. (If such a change were made, users with passwords not meeting this requirement could be prompted to change theirs upon the next login.)
In addition, it should be entirely disallowed for a user to create a password containing the string "password" or that is identical to their username.
Just an idea, anyway. I think the current system needs a bit of work, because password security *is* a concern on a site as wildly popular as Wikipedia is.
Michael Billington wrote:
Just to note, AmiDaniel has filed a bug report about the security of the login system. I particularly like the idea of using captchas after multiple attempts, to stop automated password cracking. The bug report is at http://bugzilla.wikimedia.org/show_bug.cgi?id=9816
--Michael Billington _______________________________________________ WikiEN-l mailing list WikiEN-l@lists.wikimedia.org To unsubscribe from this mailing list, visit: http://lists.wikimedia.org/mailman/listinfo/wikien-l
On 5/7/07, Blu Aardvark jeffrey.latham@gmail.com wrote:
In addition, it should be entirely disallowed for a user to create a password containing the string "password" or that is identical to their username.
I think one problem is that people don't view "website passwords" as important as a password to their ISP account or a unix shell account. After all, who cares if somebody cracks their nytimes.com password? You can get a shitload of those from bugmenot anyway. An exception might be their bank's website.
People view their Wikipedia accounts the same way they view a news site password so they pick a simple one like their cat's name or "password" and it may stay that way even when they are made admins.
On 07/05/07, Blu Aardvark jeffrey.latham@gmail.com wrote:
In addition, it should be entirely disallowed for a user to create a password containing the string "password" or that is identical to their username.
I agree entirely, except I think, for longer usernames at least, it should not *contain* their username. But that sorta gets stuffed up when people have like [[User:A]]. :-\
~Mark Ryan
On 5/7/07, Mark Ryan ultrablue@gmail.com wrote:
On 07/05/07, Blu Aardvark jeffrey.latham@gmail.com wrote:
In addition, it should be entirely disallowed for a user to create a password containing the string "password" or that is identical to their username.
I agree entirely, except I think, for longer usernames at least, it should not *contain* their username. But that sorta gets stuffed up when people have like [[User:A]]. :-\
If we can get consensus to do it we could run a password cracker on all the hashes of the sysops passwords.. desysop the inactive ones with weak passwords, and quietly email the active ones with weak passwords and tell them to pick better ones.
Ultimately it would be nice if we had a password strength checker ... but doing this would address the immediate need.
On 0, Gregory Maxwell gmaxwell@gmail.com scribbled:
On 5/7/07, Mark Ryan ultrablue@gmail.com wrote:
On 07/05/07, Blu Aardvark jeffrey.latham@gmail.com wrote:
In addition, it should be entirely disallowed for a user to create a password containing the string "password" or that is identical to their username.
I agree entirely, except I think, for longer usernames at least, it should not *contain* their username. But that sorta gets stuffed up when people have like [[User:A]]. :-\
If we can get consensus to do it we could run a password cracker on all the hashes of the sysops passwords.. desysop the inactive ones with weak passwords, and quietly email the active ones with weak passwords and tell them to pick better ones.
Ultimately it would be nice if we had a password strength checker ... but doing this would address the immediate need.
I second this. The bad guys are already running password crackers. (And if they aren't already, these incidents guarantee someone will.) Let's beat'em to the punch.
Better that we learn from this while the damage is limited. There is no downside to requiring stronger passwords; fortunately for us, this is common sense which is legislate-able.
-- Gwern Inquiring minds want to know.
I really don't see an "immediate need". The worst-case scenario would be an abusive user running a bot on an admin account and going on a deletion spree at a time a steward was not readily available. This is an incredibly unlikely scenario, as the bot would have to be smart enough to unblock itself and remove autoblocks, in addition to having access to an admin account in the first place. Even if this ever did happen, any damage actually done would be temporary, as any admin action is reversible.
I think implementing password strength measures and forcing a password change on the next login for all users with insecure ones would be sufficient.
Gregory Maxwell wrote:
If we can get consensus to do it we could run a password cracker on all the hashes of the sysops passwords.. desysop the inactive ones with weak passwords, and quietly email the active ones with weak passwords and tell them to pick better ones.
Ultimately it would be nice if we had a password strength checker ... but doing this would address the immediate need.
WikiEN-l mailing list WikiEN-l@lists.wikimedia.org To unsubscribe from this mailing list, visit: http://lists.wikimedia.org/mailman/listinfo/wikien-l
On 5/7/07, MacGyverMagic/Mgm macgyvermagic@gmail.com wrote:
Why is the main page even deleteable?
Because it's an ordinary page. Even if it could be somehow made undeletable it would still need to be editable so still could be blanked.
On 5/7/07, Ron Ritzman ritzman@gmail.com wrote:
On 5/7/07, MacGyverMagic/Mgm macgyvermagic@gmail.com wrote:
Why is the main page even deleteable?
Because it's an ordinary page. Even if it could be somehow made undeletable it would still need to be editable so still could be blanked.
True, but deleting and undeleting the entire edit history of the main page, is more of a server strain that reverting a blanking.
Mgm
On 5/7/07, MacGyverMagic/Mgm macgyvermagic@gmail.com wrote:
True, but deleting and undeleting the entire edit history of the main page, is more of a server strain that reverting a blanking.
I understood that the devs had largely solved that problem.
On 5/7/07, MacGyverMagic/Mgm macgyvermagic@gmail.com wrote:
On 5/7/07, Ron Ritzman ritzman@gmail.com wrote:
On 5/7/07, MacGyverMagic/Mgm macgyvermagic@gmail.com wrote:
Why is the main page even deleteable?
Because it's an ordinary page. Even if it could be somehow made undeletable it would still need to be editable so still could be blanked.
True, but deleting and undeleting the entire edit history of the main page, is more of a server strain that reverting a blanking.
Why is it necessary to allow the front page to be blanked ?
-- John
On 5/7/07, John Vandenberg jayvdb@gmail.com wrote:
Why is it necessary to allow the front page to be blanked ?
It needs to be possible to edit it and one feature of something being edited is that it can be blanked (or at least near blanked). Blanking is pretty mild compared to some of the alternatives.
On 5/7/07, John Vandenberg jayvdb@gmail.com wrote:
Why is it necessary to allow the front page to be blanked ?
How do you stop an editable page from being blanked? Even if you did, someone could still save it with one letter or fill it with garbage. If it can be edited, it can be vandalized.
On 5/7/07, Ron Ritzman ritzman@gmail.com wrote:
On 5/7/07, MacGyverMagic/Mgm macgyvermagic@gmail.com wrote:
Why is the main page even deleteable?
Because it's an ordinary page. Even if it could be somehow made undeletable it would still need to be editable so still could be blanked.
One option we might consider would be to display some basic default content if the page is not present or blank, in the same way that MediaWiki messages work. This would make deleting or blanking the main page not so much of a problem.
On 07/05/07, Stephen Bain stephen.bain@gmail.com wrote:
One option we might consider would be to display some basic default content if the page is not present or blank, in the same way that MediaWiki messages work. This would make deleting or blanking the main page not so much of a problem.
But then that would be on a MediaWiki page, and would be editable by exactly the same people who can delete the Main Page.
~Mark Ryan
On 5/7/07, Stephen Bain stephen.bain@gmail.com wrote:
One option we might consider would be to display some basic default content if the page is not present or blank, in the same way that MediaWiki messages work. This would make deleting or blanking the main page not so much of a problem.
-- Stephen Bain
Stephen,
It would be easy to make some backup wikitext (basically a copy of the templates used on the main page), but if somebody is able to vandalize/delete the main page they would be able to vandalize/delete the backup too.
The only way the disruption could be avoided is if:the hacker using an admin account to attack the main page: 1. Does not know ahead of time that a backup display exists, and... 2. Is not able to find the backup display quickly enough to also attack it before the account is blocked/desysopped.
Other than changing the mediawiki software, obscuring the way we use it would be the only hope.
CW
On 07/05/07, MacGyverMagic/Mgm macgyvermagic@gmail.com wrote:
Why is the main page even deleteable?
Because it's still a page. If you want to enshrine special status for it in the code, then by all means patch mediawiki to that extent...
Blu Aardvark wrote:
I really don't see an "immediate need". The worst-case scenario would be an abusive user running a bot on an admin account and going on a deletion spree at a time a steward was not readily available. This is an incredibly unlikely scenario, as the bot would have to be smart enough to unblock itself and remove autoblocks, in addition to having access to an admin account in the first place. Even if this ever did happen, any damage actually done would be temporary, as any admin action is reversible.
There's still history merges. In principle reversible, but in practice I imagine it would take an awful lot of effort if done maliciously.
On 5/7/07, Bryan Derksen bryan.derksen@shaw.ca wrote:
There's still history merges. In principle reversible, but in practice I imagine it would take an awful lot of effort if done maliciously.
Quiet, you.
CW
Charlotte Webb wrote:
On 5/7/07, Bryan Derksen bryan.derksen@shaw.ca wrote:
In principle reversible, but in practice I imagine it would take an awful lot of effort if done maliciously.
Quiet, you.
Censorship! <insert 16-byte hex string here>!
Seriously, though, I expect that anyone whose goal was to cause Wikipedia a serious maintenance headache rather than just the brief thrill of seeing their vandalism sprayed all over the front page of a top-10 website would be able to come up with that on their own. Putting any sort of weight on the "hopefully they won't think of doing _that_" defense only serves to give a false sense of security.
Bryan Derksen wrote:
Charlotte Webb wrote:
On 5/7/07, Bryan Derksen bryan.derksen@shaw.ca wrote:
In principle reversible, but in practice I imagine it would take an awful lot of effort if done maliciously.
Quiet, you.
Censorship! <insert 16-byte hex string here>!
Seriously, though, I expect that anyone whose goal was to cause Wikipedia a serious maintenance headache rather than just the brief thrill of seeing their vandalism sprayed all over the front page of a top-10 website would be able to come up with that on their own. Putting any sort of weight on the "hopefully they won't think of doing _that_" defense only serves to give a false sense of security.
This is frequently mentioned as a difficult-to-undo admin action. Perhaps we should discuss having some additional layer of security and/or permission necessary to perform history merges, until a mechanism for easily undoing them is created.
-Rich
On Sun, 6 May 2007, Blu Aardvark wrote:
Passwords should be /required/ to be at least six characters in length and contain at least one letter and one number. Most other popular sites do at least this. (If such a change were made, users with passwords not meeting this requirement could be prompted to change theirs upon the next login.)
Which means they'll *have* to use the same password on multiple web sites. It's just impossible for a human being to dozens of different arbitrary sequences of characters needed to get around on the net these days.
You can choose between crackable passwords, and passwords that anyone who runs a web forum and logs passwords can just type in. There are no other options.
Okay, TWO in one day? A 5-year-old long-established admin account deleted the main page and added tubgirl to the sitenotice just about two hours or so ago. Surely this is just random password guessing here.
And anyone else willing to fill me in on the BuickCenturyDriver situation? I've not had internet access since the morning my time and apparently it has all gotten out of hand...
That's a good point, and I'll admit I didn't consider that. Nonetheless, I do still hold that passwords should be required to be six characters in length (maybe not requiring alphanumeric combinations), and that certain common insecure passwords (and their variants) should be disabled from a technical level.
As it is, a one-character password is perfectly valid. It's also as insecure as all get-out.
Ken Arromdee wrote:
On Sun, 6 May 2007, Blu Aardvark wrote:
Passwords should be /required/ to be at least six characters in length and contain at least one letter and one number. Most other popular sites do at least this. (If such a change were made, users with passwords not meeting this requirement could be prompted to change theirs upon the next login.)
Which means they'll *have* to use the same password on multiple web sites. It's just impossible for a human being to dozens of different arbitrary sequences of characters needed to get around on the net these days.
You can choose between crackable passwords, and passwords that anyone who runs a web forum and logs passwords can just type in. There are no other options.
WikiEN-l mailing list WikiEN-l@lists.wikimedia.org To unsubscribe from this mailing list, visit: http://lists.wikimedia.org/mailman/listinfo/wikien-l
On 5/6/07, Blu Aardvark jeffrey.latham@gmail.com wrote:
I'd like to see some changes to the password system. As it is, there are *no* restrictions on allowed passwords, as long as it is at least one character in length.
Passwords should be /required/ to be at least six characters in length and contain at least one letter and one number.
Bugger that. My standard forum password meets those requirements, but is still incredibly weak. My Wikipedia password does *not* meet those requirements, but is much stronger, and has the added bonus that I can remember it.
On 5/8/07, Mark Wagner carnildo@gmail.com wrote:
On 5/6/07, Blu Aardvark jeffrey.latham@gmail.com wrote:
I'd like to see some changes to the password system. As it is, there are *no* restrictions on allowed passwords, as long as it is at least one character in length.
Passwords should be /required/ to be at least six characters in length and contain at least one letter and one number.
Bugger that. My standard forum password meets those requirements, but is still incredibly weak. My Wikipedia password does *not* meet those requirements, but is much stronger, and has the added bonus that I can remember it.
-- Mark [[User:Carnildo]]
Carnildo is right. If you had to pick a different password for absolutely every site you visit, you either forget it, or run into problems trying to store it somehow. Requiring people to use numbers just adds a few options to the list of possible passwords, but if the hacker spends enough time on it, that password is no safer. We should somehow try to notice multiple failed logins and warn the targetted user about what is happening if it happens again.
Mgm
I meant "rogue", of course, not red. Heh.
On 07/05/07, NSLE (Wikipedia) nsle.wikipedia@gmail.com wrote:
Brilliant, someone went rouge again today.
Yeah, at least that's quicker than last time.
On 07/05/07, Pedro Sanchez pdsanchez@gmail.com wrote:
Well, now it only took 5 minutes ... 01:32, 7 May 2007 AndyZ (Talk | contribs | block) deleted "Main Page" (My password is password!) (Restore) 01:37, 7 May 2007 Drini (Talk | contribs | block) changed group membership for User:AndyZ@enwiki from sysop to (none) (rogue)
On 5/6/07, NSLE (Wikipedia) nsle.wikipedia@gmail.com wrote:
Brilliant, someone went rouge again today. Ryulong was blocked and the Main Page deleted.
All of which was handled quickly, it seems.
How long until the perennial proposals start coming in? Well, I'll start. When will desysopping long-inactive admins start to even be considered? Anyone?
AndyZ was not a long-inactive admin; he has a volume of legit edits through the end of February.
-Matt