おはようございます、 jawiki の井戸端 (告知) に書いた enwiki でのパスワードクラックと注意勧告の件の詳細です。

英語版ウィキペディアの管理者のなかには "password" や自分のアカウント名をパスワードにしていた方もいたそうですが、そのような弱いパスワードをお使いの方が万一おられた場合は、変更を強くおすすめします。

とくに管理者の方はパスワードの管理に一層ご留意ください。

---------- Forwarded message ---------- From: Brion Vibber brion@wikimedia.org Date: May 8, 2007 7:17 AM Subject: [Foundation-l] Password security notes To: Wikimedia developers wikitech-l@lists.wikimedia.org Cc: wikipedia-l@lists.wikimedia.org, Wikimedia Foundation Mailing List foundation-l@lists.wikimedia.org, wikien-l@lists.wikimedia.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

As noted in other threads on several mailing lists, a few admin accounts on en.wikipedia have been compromised recently, used to vandalize high-traffic protected pages.

We're starting to roll out some additional protections against password-guessing attacks, including but not limited to:

* Additional logging to better detect dictionary-style attacks

* Speed-bump measures against multiple failed logins [But not that should DoS legitimate users. The traditional "lock out the account after three tries" would make it trivial to lock out all the site's sysops -- not wise. :)]

* Weak-password checks on existing sysops on our largest sites. Several accounts have had their weak passwords invalidated and will need to reset by mail before logging in again.

* Several targeted blocks against known cracking attempts.

Over the coming days we will additionally be rolling out more automated password-strength checkers at login / set-password / change-password time to reduce the danger of guessable passwords.

Please distribute this information as appropriate to your local projects/languages.

- -- brion vibber (brion @ wikimedia.org)

_______________________________________________ foundation-l mailing list foundation-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/foundation-l