A steward account... zomg... don't even think about it! (Although, that may
be easier... Special:Log/rights is on meta and we don't get as much changes
there: easier to spot/fix!)
Cbrown1023
-----Original Message-----
From: foundation-l-bounces(a)lists.wikimedia.org
[mailto:foundation-l-bounces@lists.wikimedia.org] On Behalf Of John Reaves
Sent: Monday, May 07, 2007 6:25 PM
To: Wikimedia Foundation Mailing List
Subject: Re: [Foundation-l] Password security notes
I assume this has already been thought of, but steward accounts (as well as
all admin accounts) at Meta should be checked too. A hacked steward account
would be a big problem.
--John Reaves
On 5/7/07, Jeff V. Merkey <jmerkey(a)wolfmountaingroup.com> wrote:
Brion Vibber wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
As noted in other threads on several mailing lists, a few admin accounts
on en.wikipedia have been compromised recently, used to vandalize
high-traffic protected pages.
We're starting to roll out some additional protections against
password-guessing attacks, including but not limited to:
* Additional logging to better detect dictionary-style attacks
* Speed-bump measures against multiple failed logins
[But not that should DoS legitimate users. The traditional "lock out the
account after three tries" would make it trivial to lock out all the
site's sysops -- not wise. :)]
What you should do here is after three failed attempts **CHANGE** the
password and email the new password
to the affected account. Otherwise, the account is locked up. It will
require people enter a valid email address, but oh well.
Jeff
_______________________________________________
foundation-l mailing list
foundation-l(a)lists.wikimedia.org
http://lists.wikimedia.org/mailman/listinfo/foundation-l
_______________________________________________
foundation-l mailing list
foundation-l(a)lists.wikimedia.org
http://lists.wikimedia.org/mailman/listinfo/foundation-l