-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Due to an attacker mass-abusing accounts with weak passwords, passwords that are the same as the username can no longer be used. Affected accounts can reset their password by e-mail to something more secure.
Please report the change back to your various communities in case someone needs help...
- -- brion vibber (brion @ wikimedia.org)
Perfect.
I suggest we also introduce a warning if the password is weak.
On 4/26/07, Brion Vibber brion@wikimedia.org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Due to an attacker mass-abusing accounts with weak passwords, passwords that are the same as the username can no longer be used. Affected accounts can reset their password by e-mail to something more secure.
Please report the change back to your various communities in case someone needs help...
- -- brion vibber (brion @ wikimedia.org)
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGMSBWwRnhpk1wk44RAlqBAJoC6YMCK5qYfYhcyMWZPzh2XDLmOwCfQje3 lyq4jSE9wP+NrIBkDeomckg= =oHa1 -----END PGP SIGNATURE-----
Wikipedia-l mailing list Wikipedia-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/wikipedia-l
And how people can have their account back if they didn't give any email adress?
On 27/04/07, Snowolf mtazio@gmail.com wrote:
Perfect.
I suggest we also introduce a warning if the password is weak.
On 4/26/07, Brion Vibber brion@wikimedia.org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Due to an attacker mass-abusing accounts with weak passwords, passwords that are the same as the username can no longer be used. Affected accounts can reset their password by e-mail to something more secure.
Please report the change back to your various communities in case someone needs help...
- -- brion vibber (brion @ wikimedia.org)
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGMSBWwRnhpk1wk44RAlqBAJoC6YMCK5qYfYhcyMWZPzh2XDLmOwCfQje3 lyq4jSE9wP+NrIBkDeomckg= =oHa1 -----END PGP SIGNATURE-----
Wikipedia-l mailing list Wikipedia-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/wikipedia-l
--
Snowolf ( www.snowolf.eu ) The Force will be with you, always! _______________________________________________ Wikipedia-l mailing list Wikipedia-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/wikipedia-l
Hoi, Probably by asking nicely on OTRS ? Thanks, GerardM
On 4/27/07, Christophe Henner christophe.henner@gmail.com wrote:
And how people can have their account back if they didn't give any email adress?
On 27/04/07, Snowolf mtazio@gmail.com wrote:
Perfect.
I suggest we also introduce a warning if the password is weak.
On 4/26/07, Brion Vibber brion@wikimedia.org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Due to an attacker mass-abusing accounts with weak passwords,
passwords
that are the same as the username can no longer be used. Affected accounts can reset their password by e-mail to something more secure.
Please report the change back to your various communities in case someone needs help...
- -- brion vibber (brion @ wikimedia.org)
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGMSBWwRnhpk1wk44RAlqBAJoC6YMCK5qYfYhcyMWZPzh2XDLmOwCfQje3 lyq4jSE9wP+NrIBkDeomckg= =oHa1 -----END PGP SIGNATURE-----
Wikipedia-l mailing list Wikipedia-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/wikipedia-l
--
Snowolf ( www.snowolf.eu ) The Force will be with you, always! _______________________________________________ Wikipedia-l mailing list Wikipedia-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/wikipedia-l-- schiste
Wikipedia-l mailing list Wikipedia-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/wikipedia-l
And how people can have their account back if they didn't give any email adress?
We've just been discussing this on the enwiki buro noticeboard. In the case we were discussing, the user had linked to their itwiki account which did have an email address, so we could confirm their identity and the plan is to rename the account so it will no longer match the password. However, if there isn't any way to confirm the identity of the user then I think the account is lost for good - there is no way to know if the person requesting access to their account is owner of the account. That's the price you pay for not having the common sense to use a sensible password.
I must agree, but there's some users we can identify through IRC nicknames (when they are registered) so who should we ask?
On 27/04/07, Thomas Dalton thomas.dalton@gmail.com wrote:
And how people can have their account back if they didn't give any email adress?
We've just been discussing this on the enwiki buro noticeboard. In the case we were discussing, the user had linked to their itwiki account which did have an email address, so we could confirm their identity and the plan is to rename the account so it will no longer match the password. However, if there isn't any way to confirm the identity of the user then I think the account is lost for good - there is no way to know if the person requesting access to their account is owner of the account. That's the price you pay for not having the common sense to use a sensible password.
Wikipedia-l mailing list Wikipedia-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/wikipedia-l
Wikipedia should be more user friendly than that. No need for us to act like BOFHs.
On 4/27/07, Thomas Dalton thomas.dalton@gmail.com wrote:
And how people can have their account back if they didn't give any email adress?
We've just been discussing this on the enwiki buro noticeboard. In the case we were discussing, the user had linked to their itwiki account which did have an email address, so we could confirm their identity and the plan is to rename the account so it will no longer match the password. However, if there isn't any way to confirm the identity of the user then I think the account is lost for good - there is no way to know if the person requesting access to their account is owner of the account. That's the price you pay for not having the common sense to use a sensible password.
Wikipedia-l mailing list Wikipedia-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/wikipedia-l
2007/4/29, Thomas Dalton thomas.dalton@gmail.com:
Wikipedia should be more user friendly than that. No need for us to act like BOFHs.
Do you have a suggestion for how to handle it? If we can't confirm someone's identity, we can't give them access to the account, however friendly we may be.
Well, to make the request one would have to know that it's an account that is hit by the measure. That means that either one knows the password is equal to the login name, or one has guessed it. In the first case they are the correct person. In the second case, they basically have done some password cracking, which even with an easy password is not a trivial thing. I would say that for an active account, if there is only one request within a reasonable timespan, it would be safe to assume it comes from the user him/herself. For inactive accounts I would say "too bad, get a new one."
Well, to make the request one would have to know that it's an account that is hit by the measure. That means that either one knows the password is equal to the login name, or one has guessed it. In the first case they are the correct person. In the second case, they basically have done some password cracking, which even with an easy password is not a trivial thing. I would say that for an active account, if there is only one request within a reasonable timespan, it would be safe to assume it comes from the user him/herself. For inactive accounts I would say "too bad, get a new one."
It's not difficult to write a bot that goes through lots of accounts trying to log in with the username as the password and seeing if it works. That's why such passwords have been blocked. If we let people into the accounts without any verification we might as well just let people keep the insecure passwords.
Why not?
On 4/28/07, Thomas Dalton thomas.dalton@gmail.com wrote:
Wikipedia should be more user friendly than that. No need for us to act like BOFHs.
Do you have a suggestion for how to handle it? If we can't confirm someone's identity, we can't give them access to the account, however friendly we may be.
Wikipedia-l mailing list Wikipedia-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/wikipedia-l
wikipedia-l@lists.wikimedia.org