Ya, well I was a good girl and I did as I was told to do.
Now... I changed my password to a VERY simple one so that it takes less time to relogin each time.
And most of my edits are anonymous... which creates a problem to me because I keep being asked to fill up the captcha thing and of course I miss all the nice user features... but it also creates a problem to my peers who have to keep a watch on my anonymous edits.
So, I do not know what is the extent of the current security issue, but I tell you that from a user perspective, the 2 factor authentification system is absolutely not ok :)
I do not know how many people switched and I dunno if all meet the same problem than I.
If others are facing the same consequences... I believe you should stop to push people to implement the 2 steps.
If I am alone in this situation.... please someone remove the 2 factors identification system from my account. Please. Please.
Anthere
Le 21/11/2016 à 11:15, John Mark Vandenberg a écrit :
Ya, this is why I haven't done it.
Also, I should be able to set it up such that TFA is not necessary until my account attempts to do an admin action.
On Mon, Nov 21, 2016 at 4:37 PM, Florence Devouard fdevouard@gmail.com wrote:
Hello
I had the super bad idea of implementing the two-factor authentication and now I need help :)
The system is not "recording" me as registered. Which means that I am disconnected every once in a while. Roughly every 15 minutes... and every time I change project (from Wikipedia to Commons etc.)
Which means that every 15 minutes, I need to relogin... retype login and password... grab my phone... wake it up... launch the app... get the number... enter it... validate... OK, good to go for 15 minutes...
So... how do I fix that ?
Thanks
Florence
Le 16/11/2016 à 10:57, Tim Starling a écrit :
Since Friday, we've had a slow but steady stream of admin account compromises on WMF projects. The hacker group OurMine has taken credit for these compromises.
We're fairly sure now that their mode of operation involves searching for target admins in previous user/password dumps published by other hackers, such as the 2013 Adobe hack. They're not doing an online brute force attack against WMF. For each target, they try one or two passwords, and if those don't work, they go on to the next target. Their success rate is maybe 10%.
When they compromise an account, they usually do a main page defacement or similar, get blocked, and then move on to the next target.
Today, they compromised the account of a www.mediawiki.org admin, did a main page defacement there, and then (presumably) used the same password to log in to Gerrit. They took a screenshot, sent it to us, but took no other action.
So, I don't think they are truly malicious -- I think they are doing it for fun, fame, perhaps also for their stated goal of bringing attention to poor password security.
Indications are that they are familiarising themselves with MediaWiki and with our community. They probably plan on continuing to do this for some time.
We're doing what we can to slow them down, but admins and other users with privileged access also need to take some responsibility for the security of their accounts. Specifically:
- If you're an admin, please enable two-factor authentication.
https://meta.wikimedia.org/wiki/H:2FA
- Please change your password, if you haven't already changed it in
the last week. Use a new password that is not used on any other site.
- Please do not share passwords across different WMF services, for
example, between the wikis and Gerrit.
(Cross-posted to wikitech-l and wikimedia-l, please copy/link elsewhere as appropriate.)
-- Tim Starling
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l