Hi all, I wanted to bikeshed just a little bit, to make sure there is some
tl;dr We're upgrading the password hash used to store passwords to make
offline cracking more difficult. In doing that, we need to set one of the
options as default. Speak up if you have strong feelings about one over the
Along with refactoring how passwords are stored and checked,
https://gerrit.wikimedia.org/r/#/c/77645 implements two strong hashing
algorithms PBKDF2  and bcrypt . I added a followup commit to add in
the algorithm that Tim came up with in 2010 using Whirlpool as a hash
For any of these, there is a maintenance script to wrap current passwords
with one of the strong ones, so we can upgrade the whole database without
interaction from the users. It's also simple to upgrade the work factor or
change to a new algorithm, if we decide that is needed in the future. But
for the actual default...
Bcrypt is probably the most common option for password storage in webapps
that I see. PHP 5.5 uses it as the default for the new password_hash()
function. The only issue is that PHP before 5.3.7 had a flaw in their
implementation which resulted in weak hashes. If we set bcrypt as default,
we would want to raise the minimum php version to 5.3.7 (it's currently
5.3.2) for MediaWIki 1.23.
PBKDF2 is an RSA standard and is included in PHP 5.5. Tyler did an
implementation in the patch to make it backwards compatible. The only
downside to it is the connection to RSA, who may have knowingly
standardized weak algorithms, although the security properties of PBKDF2
are fairly well studied and haven't been called into question.
The Whirlpool algorithm by Tim would force password cracking software to do
a custom implementation for our hashes. It has very similar work effort to
bcrypt, and should keep our passwords as safe as using bcrypt. The theory
behind it seems good, but obviously, we might discover a gaping hole in it
at some point.
Is there any strong preference among these options? My personal vote is for
bcrypt, if bumping the php version doesn't seem like a big deal to everyone.
 - https://en.wikipedia.org/wiki/PBKDF2
 - https://en.wikipedia.org/wiki/Bcrypt
I just wanted to report a bug, and info-en(a)wikipedia.org referred me here.
Sadly, upon trying to create a pdf (using the otherwise genius
Print/export feature) of a page that involves lines above letters
(e.g. http://en.wikipedia.org/wiki/List_of_mesons) the lines above
letters (here essential to indicate the difference between Particle
and Antiparticle) just disappear.
In the linked Article that can be seen in the caption under the first
Image where the pdf then contains the text "The strange antiquark (s)"
despite there being a line above the "s" in the online Article.
There is StartTimestamp property used in edit api, which should
contain the time, when you started editing the page. This timestamp
needs to be in same timezone as wiki is.
How do you get current wiki time, so that you can either calculate the
timezone or use the time? For example:
1) Get current wiki time and store it
2) Edit the page
3) Use previously retrieved ts as StartTimestamp
How can I query the mediawiki in order to get the current time from
server's point of view
On Feb 26, 2014 10:09 AM, "Brad Jorsch (Anomie)" <bjorsch(a)wikimedia.org>
> Note the returned timestamp should always be in UTC, formatted in ISO 8601
> format (e.g. "2014-02-26T15:01:37Z").
Speaking of timestamp format, examples in api.php seem wrong for
The examples use entirely numeric timestamp like you get when paging
through [[special:log]] (in browser not API) The format returned by
prop=revisions&rvprop=timestamp does match the format you described.
This is a query regarding GSoC '14. I'm proficient in Hindi and English. I
also am a hobbyist web developer and am quite familiar with
of translation for GSoC 2014. Where do I start?
Thanks in advance.
Narendra Nath Joshi
+91 8050 434 665