Tomasz Wegrzanowski wrote:
brion vibber (brion @
pobox.com) wrote:
While running some password security checks, I
found that a handful of sysop
accounts had blank passwords. Probably some non-sysop accounts also had blanks.
Affected accounts can reset the password by the automated e-mail
password gadget on the login form, unless of course they didn't put in an e-mail.
This is seriously wrong. It should be completely reversed.
A lot of people have just lost their account because of this,
and it wasn't even announced that it was coming.
This part of the problem could be reduced if the change was
announced in advance.
For those users who do have e-mail addresses for their accounts, were
there any provisions done to try and send a simple e-mail to those users
asking them to update their accounts with stronger passwords?
Especially sysops?
While I support the actions of Brian to try and strengthen the passwords
for user accounts, some internal notice should have been given in more
widely read forums, of which Wikitech-l and Foundation-l are not really
widely read forums for the typical Wikimedian. Actually, I don't know
of a good place, although there are several places that would work to at
least notify a few more people than simply the e-mail lists.
I feel for Brian, however. He is trying to secure the servers from
idiots and vandals when Wikimedia policies encourage idiots and vandals
to participate and wreck things.
--
Robert Scott Horning