I know it's been said many times, but two-factor authentication, mandatory for accounts with advanced privileges and optionally available for everyone else, would seem to be a logical step. It's not foolproof, but it would go a long way to making us less of a soft target.
Cheers, Craig
On 12 November 2016 at 22:22, Fæ faewik@gmail.com wrote:
Do any of the volunteers contributing to this list have ideas for changes that may make a significant difference to security?
Yesterday saw Jimmy Wales' Wikipedia account getting hacked, in the process appearing to promote an organisation.[1] It was not the only account compromised. This is being analysed, though as there are security issues being examined, the analysis has not been made public so far; plus it's the weekend :-)
Over the last few years, there have improvements on account set-up and choice of passwords, along with user suggestions for better account management. Users can also chose to use committed identities[2] to make account recovery easier, and are encouraged to use more secure passwords. Two-factor authentication,[3] such as using mobile phone text messages, has been suggested a few times by volunteers, and this might be a good moment to encourage the WMF to have better facilities built into the projects. We could even make two-factor identification a requirement for trusted users, such as administrators, important bots, and "high profile" accounts, where they may have special rights that could cause a fair amount of disruption if a hacked account were not identified quickly. Considering that some administrator accounts can lie dormant for many months without the actual user monitoring it, these could end up being far more disruptive than well-watched accounts like Jimmy's.
We may want extra security to remain mostly optional, keeping our projects simple to access. Education of new volunteers and trusted users may be critical for making it effective, such as avoiding social hacking. A clearer understanding of what the community would want to see improved would probably help set development priorities.
Links
- https://en.wikipedia.org/wiki/User_talk:Jimbo_Wales#Compromised
- https://en.wikipedia.org/wiki/Template:Committed_identity
- https://en.wikipedia.org/wiki/Multi-factor_authentication
Thanks, Fae -- faewik@gmail.com https://commons.wikimedia.org/wiki/User:Fae
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe