I think they should be de-sysopped - they've put the project at massive risk..
-----Original Message----- From: wikipedia-l-bounces@Wikimedia.org [mailto:wikipedia-l-bounces@Wikimedia.org] On Behalf Of Alphax (Wikipedia email) Sent: 03 February 2006 03:52 To: wikipedia-l@Wikimedia.org Subject: Re: [Wikipedia-l] Re: [Wikitech-l] Password security
Walter Vermeir wrote:
Andrew Gray <shimgray@...> writes:
It strikes me that announcing in advance "Hey, guys, a number of accounts INCLUDING n SYSOPS have blank passwords and can easily be taken over..", then not fixing it for a while, is a recipe for disaster. It's not that hard to generate a list of users with admin privileges, and presumably neither is it impossible to write a short script to try 800 logins...
But there can not be many sysop or higher accounts with no password (I
hope).
Using no password, especially when you are sysop is highly irresponsible and those users should be de-sysoped.
When there are no accounts left that are anything else then normal users then blank password could be enabled again for 2 weeks or so to give those users the time to pick a password.
How can users who have no access anymore to there account regain access
Brion?
Make a bugzilla ticket?
There are certainly sysops on en: who don't have email addresses entered - should /they/ be desysopped?
There are certainly plenty of people who haven't entered email addresses, and complain "I've lost my password, can you reset it for me" - but how can we be sure that they are the owner of the account, if they never entered an email address?
One solution, possibly not the best, is to force people to enter an email address, and send an "activation token" to that address. At present email is the only way people have of recovering passwords; we need to either give them another way, or make email part of the signup process.
-- Alphax - http://en.wikipedia.org/wiki/User:Alphax Contributor to Wikipedia, the Free Encyclopedia "We make the internet not suck" - Jimbo Wales Public key: http://en.wikipedia.org/wiki/User:Alphax/OpenPGP