-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
As noted in other threads on several mailing lists, a few admin accounts on en.wikipedia have been compromised recently, used to vandalize high-traffic protected pages.
We're starting to roll out some additional protections against password-guessing attacks, including but not limited to:
* Additional logging to better detect dictionary-style attacks
* Speed-bump measures against multiple failed logins [But not that should DoS legitimate users. The traditional "lock out the account after three tries" would make it trivial to lock out all the site's sysops -- not wise. :)]
* Weak-password checks on existing sysops on our largest sites. Several accounts have had their weak passwords invalidated and will need to reset by mail before logging in again.
* Several targeted blocks against known cracking attempts.
Over the coming days we will additionally be rolling out more automated password-strength checkers at login / set-password / change-password time to reduce the danger of guessable passwords.
Please distribute this information as appropriate to your local projects/languages.
- -- brion vibber (brion @ wikimedia.org)
Brion Vibber wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
As noted in other threads on several mailing lists, a few admin accounts on en.wikipedia have been compromised recently, used to vandalize high-traffic protected pages.
We're starting to roll out some additional protections against password-guessing attacks, including but not limited to:
Additional logging to better detect dictionary-style attacks
Speed-bump measures against multiple failed logins
[But not that should DoS legitimate users. The traditional "lock out the account after three tries" would make it trivial to lock out all the site's sysops -- not wise. :)]
What you should do here is after three failed attempts **CHANGE** the password and email the new password to the affected account. Otherwise, the account is locked up. It will require people enter a valid email address, but oh well.
Jeff
I assume this has already been thought of, but steward accounts (as well as all admin accounts) at Meta should be checked too. A hacked steward account would be a big problem.
--John Reaves
On 5/7/07, Jeff V. Merkey jmerkey@wolfmountaingroup.com wrote:
Brion Vibber wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
As noted in other threads on several mailing lists, a few admin accounts on en.wikipedia have been compromised recently, used to vandalize high-traffic protected pages.
We're starting to roll out some additional protections against password-guessing attacks, including but not limited to:
Additional logging to better detect dictionary-style attacks
Speed-bump measures against multiple failed logins
[But not that should DoS legitimate users. The traditional "lock out the account after three tries" would make it trivial to lock out all the site's sysops -- not wise. :)]
What you should do here is after three failed attempts **CHANGE** the password and email the new password to the affected account. Otherwise, the account is locked up. It will require people enter a valid email address, but oh well.
Jeff
foundation-l mailing list foundation-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/foundation-l
A steward account... zomg... don't even think about it! (Although, that may be easier... Special:Log/rights is on meta and we don't get as much changes there: easier to spot/fix!)
Cbrown1023
-----Original Message----- From: foundation-l-bounces@lists.wikimedia.org [mailto:foundation-l-bounces@lists.wikimedia.org] On Behalf Of John Reaves Sent: Monday, May 07, 2007 6:25 PM To: Wikimedia Foundation Mailing List Subject: Re: [Foundation-l] Password security notes
I assume this has already been thought of, but steward accounts (as well as all admin accounts) at Meta should be checked too. A hacked steward account would be a big problem.
--John Reaves
On 5/7/07, Jeff V. Merkey jmerkey@wolfmountaingroup.com wrote:
Brion Vibber wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
As noted in other threads on several mailing lists, a few admin accounts on en.wikipedia have been compromised recently, used to vandalize high-traffic protected pages.
We're starting to roll out some additional protections against password-guessing attacks, including but not limited to:
Additional logging to better detect dictionary-style attacks
Speed-bump measures against multiple failed logins
[But not that should DoS legitimate users. The traditional "lock out the account after three tries" would make it trivial to lock out all the site's sysops -- not wise. :)]
What you should do here is after three failed attempts **CHANGE** the password and email the new password to the affected account. Otherwise, the account is locked up. It will require people enter a valid email address, but oh well.
Jeff
foundation-l mailing list foundation-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/foundation-l
_______________________________________________ foundation-l mailing list foundation-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/foundation-l
On Mon, 07 May 2007 16:19:28 -0600, Jeff V. Merkey wrote:
What you should do here is after three failed attempts **CHANGE** the password and email the new password to the affected account. Otherwise, the account is locked up. It will require people enter a valid email address, but oh well.
Jeff
DOS and spam seems like adding insult to injury. I'd expect lot of complaints from the poor users who's passwords change hourly.
Slowing down the response rate based on the number of requests seems less painful.
Steve Sanbeg wrote:
On Mon, 07 May 2007 16:19:28 -0600, Jeff V. Merkey wrote:
What you should do here is after three failed attempts **CHANGE** the password and email the new password to the affected account. Otherwise, the account is locked up. It will require people enter a valid email address, but oh well.
Jeff
DOS and spam seems like adding insult to injury. I'd expect lot of complaints from the poor users who's passwords change hourly.
Slowing down the response rate based on the number of requests seems less painful.
Actually no. Only one password email can be sent every 24 hours. This is how the current MediaWiki works, so this would work well.
Jeff
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/wikitech-l
On 07/05/07, Brion Vibber brion@wikimedia.org wrote:
We're starting to roll out some additional protections against password-guessing attacks, including but not limited to:
- Weak-password checks on existing sysops on our largest sites. Several
accounts have had their weak passwords invalidated and will need to reset by mail before logging in again.
Needless to say, anyone whose password is a certain string beginning "09 F9" is blocked forever and their name put in [[Meta:Hall of Shame]] to be poked fun at.
- d.
wikimedia-l@lists.wikimedia.org