brion vibber (brion @ pobox.com) wrote:
I've disabled the ability to use blank passwords on wiki accounts.
For a long time we treated accounts very laxly in this regard; there generally wasn't _that_ much reason to secure a casual account unless you were one of the tiny number of sysops.
In recent years though the number of sysops has exploded, and we've added customization features like the user javascript which are cool but potentially really annoying if someone gets into your account and messes with them. As a small concession to security and accountability, it's time for blank passwords to go.
While running some password security checks, I found that a handful of sysop accounts had blank passwords. Probably some non-sysop accounts also had blanks.
Affected accounts can reset the password by the automated e-mail password gadget on the login form, unless of course they didn't put in an e-mail.
This is seriously wrong. It should be completely reversed.
A lot of people have just lost their account because of this, and it wasn't even announced that it was coming. This part of the problem could be reduced if the change was announced in advance.
However, that's not the full problem. Many people use blank or trival passwords and don't give their emails. This is completely reasonable, as it's very hard to remember just another password (and reusing passwords on different websites is about as bad as having none), and even if spamming wasn't a problem, why the heck would any website need their email in the first place ?
So, while dictionary-checking sysops' passwords make a lot of sense, there's very little point in limiting passwords of the non-privileged accounts.
(and yeah, /me just lost 2 (rarely used) accounts on fr.wp and de.wp)
Tomasz Wegrzanowski wrote:
So, while dictionary-checking sysops' passwords make a lot of sense, there's very little point in limiting passwords of the non-privileged accounts.
At the moment we don't have a separate switch for sysops, nor any control which would prevent blank-password accounts from being made into sysops. I'd rather risk disabling a few accounts temporarily than keep the incredibly dangerous sysop accounts open (which could be used potenially to great destructive effect).
-- brion vibber (brion @ pobox.com)
On 1/30/06, Brion Vibber brion@pobox.com wrote:
Tomasz Wegrzanowski wrote:
So, while dictionary-checking sysops' passwords make a lot of sense, there's very little point in limiting passwords of the non-privileged accounts.
At the moment we don't have a separate switch for sysops, nor any control which would prevent blank-password accounts from being made into sysops. I'd rather risk disabling a few accounts temporarily than keep the incredibly dangerous sysop accounts open (which could be used potenially to great destructive effect).
Take your list of users with blank passwords. Import into database. Join with the groups table to turn it into sysops.. use that as a subselect in an update query to blank the password hash field on those users. Done.
I'd just write the statement off the top of my head, but I'm not used to dealing with those field. :)
On 31/01/06, Tomasz Wegrzanowski taw@users.sourceforge.net wrote:
A lot of people have just lost their account because of this, and it wasn't even announced that it was coming. This part of the problem could be reduced if the change was announced in advance.
It strikes me that announcing in advance "Hey, guys, a number of accounts INCLUDING n SYSOPS have blank passwords and can easily be taken over..", then not fixing it for a while, is a recipe for disaster. It's not that hard to generate a list of users with admin privileges, and presumably neither is it impossible to write a short script to try 800 logins...
-- - Andrew Gray andrew.gray@dunelm.org.uk
Andrew Gray wrote:
On 31/01/06, Tomasz Wegrzanowski taw@users.sourceforge.net wrote:
A lot of people have just lost their account because of this, and it wasn't even announced that it was coming. This part of the problem could be reduced if the change was announced in advance.
It strikes me that announcing in advance "Hey, guys, a number of accounts INCLUDING n SYSOPS have blank passwords and can easily be taken over..", then not fixing it for a while, is a recipe for disaster.
Bingo.
-- brion vibber (brion @ pobox.com)
Andrew Gray <shimgray@...> writes:
It strikes me that announcing in advance "Hey, guys, a number of accounts INCLUDING n SYSOPS have blank passwords and can easily be taken over..", then not fixing it for a while, is a recipe for disaster. It's not that hard to generate a list of users with admin privileges, and presumably neither is it impossible to write a short script to try 800 logins...
But there can not be many sysop or higher accounts with no password (I hope).
Using no password, especially when you are sysop is highly irresponsible and those users should be de-sysoped.
When there are no accounts left that are anything else then normal users then blank password could be enabled again for 2 weeks or so to give those users the time to pick a password.
How can users who have no access anymore to there account regain access Brion?
Make a bugzilla ticket?
Walter
Walter Vermeir wrote:
Andrew Gray <shimgray@...> writes:
It strikes me that announcing in advance "Hey, guys, a number of accounts INCLUDING n SYSOPS have blank passwords and can easily be taken over..", then not fixing it for a while, is a recipe for disaster. It's not that hard to generate a list of users with admin privileges, and presumably neither is it impossible to write a short script to try 800 logins...
But there can not be many sysop or higher accounts with no password (I hope).
Using no password, especially when you are sysop is highly irresponsible and those users should be de-sysoped.
When there are no accounts left that are anything else then normal users then blank password could be enabled again for 2 weeks or so to give those users the time to pick a password.
How can users who have no access anymore to there account regain access Brion?
Make a bugzilla ticket?
There are certainly sysops on en: who don't have email addresses entered - should /they/ be desysopped?
There are certainly plenty of people who haven't entered email addresses, and complain "I've lost my password, can you reset it for me" - but how can we be sure that they are the owner of the account, if they never entered an email address?
One solution, possibly not the best, is to force people to enter an email address, and send an "activation token" to that address. At present email is the only way people have of recovering passwords; we need to either give them another way, or make email part of the signup process.
I think they should be de-sysopped - they've put the project at massive risk..
-----Original Message----- From: wikipedia-l-bounces@Wikimedia.org [mailto:wikipedia-l-bounces@Wikimedia.org] On Behalf Of Alphax (Wikipedia email) Sent: 03 February 2006 03:52 To: wikipedia-l@Wikimedia.org Subject: Re: [Wikipedia-l] Re: [Wikitech-l] Password security
Walter Vermeir wrote:
Andrew Gray <shimgray@...> writes:
It strikes me that announcing in advance "Hey, guys, a number of accounts INCLUDING n SYSOPS have blank passwords and can easily be taken over..", then not fixing it for a while, is a recipe for disaster. It's not that hard to generate a list of users with admin privileges, and presumably neither is it impossible to write a short script to try 800 logins...
But there can not be many sysop or higher accounts with no password (I
hope).
Using no password, especially when you are sysop is highly irresponsible and those users should be de-sysoped.
When there are no accounts left that are anything else then normal users then blank password could be enabled again for 2 weeks or so to give those users the time to pick a password.
How can users who have no access anymore to there account regain access
Brion?
Make a bugzilla ticket?
There are certainly sysops on en: who don't have email addresses entered - should /they/ be desysopped?
There are certainly plenty of people who haven't entered email addresses, and complain "I've lost my password, can you reset it for me" - but how can we be sure that they are the owner of the account, if they never entered an email address?
One solution, possibly not the best, is to force people to enter an email address, and send an "activation token" to that address. At present email is the only way people have of recovering passwords; we need to either give them another way, or make email part of the signup process.
-- Alphax - http://en.wikipedia.org/wiki/User:Alphax Contributor to Wikipedia, the Free Encyclopedia "We make the internet not suck" - Jimbo Wales Public key: http://en.wikipedia.org/wiki/User:Alphax/OpenPGP
Walter Vermeir wrote:
Using no password, especially when you are sysop is highly irresponsible and those users should be de-sysoped.
I thought adminship was no big deal... ;)
Chris
On 2/4/06, Chris Jenkinson chris@starglade.org wrote:
Walter Vermeir wrote:
Using no password, especially when you are sysop is highly irresponsible and those users should be de-sysoped.
I thought adminship was no big deal... ;)
I personally think they should be lined up and shot.
Defend the citadel!
wikipedia-l@lists.wikimedia.org