Tomasz Wegrzanowski wrote:
brion vibber (brion @ pobox.com) wrote:
While running some password security checks, I found that a handful of sysop accounts had blank passwords. Probably some non-sysop accounts also had blanks.
Affected accounts can reset the password by the automated e-mail password gadget on the login form, unless of course they didn't put in an e-mail.
This is seriously wrong. It should be completely reversed.
A lot of people have just lost their account because of this, and it wasn't even announced that it was coming. This part of the problem could be reduced if the change was announced in advance.
For those users who do have e-mail addresses for their accounts, were there any provisions done to try and send a simple e-mail to those users asking them to update their accounts with stronger passwords? Especially sysops?
While I support the actions of Brian to try and strengthen the passwords for user accounts, some internal notice should have been given in more widely read forums, of which Wikitech-l and Foundation-l are not really widely read forums for the typical Wikimedian. Actually, I don't know of a good place, although there are several places that would work to at least notify a few more people than simply the e-mail lists.
I feel for Brian, however. He is trying to secure the servers from idiots and vandals when Wikimedia policies encourage idiots and vandals to participate and wreck things.