-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As noted in other threads on several mailing lists, a few admin accounts on en.wikipedia have been compromised recently, used to vandalize high-traffic protected pages. We're starting to roll out some additional protections against password-guessing attacks, including but not limited to: * Additional logging to better detect dictionary-style attacks * Speed-bump measures against multiple failed logins [But not that should DoS legitimate users. The traditional "lock out the account after three tries" would make it trivial to lock out all the site's sysops -- not wise. :)] * Weak-password checks on existing sysops on our largest sites. Several accounts have had their weak passwords invalidated and will need to reset by mail before logging in again. * Several targeted blocks against known cracking attempts. Over the coming days we will additionally be rolling out more automated password-strength checkers at login / set-password / change-password time to reduce the danger of guessable passwords. Please distribute this information as appropriate to your local projects/languages. - -- brion vibber (brion @ wikimedia.org)