There are "good" reasons people would target checkuser accounts, WMF staff
email accounts, and other accounts that have access to lots of private info
like functionary email accounts and accounts with access to restricted IRC
channels.
Pine
On Thu, Aug 7, 2014 at 11:21 AM, Ryan Lane <rlane32(a)gmail.com> wrote:
On Thu, Aug 7, 2014 at 6:58 AM, Casey Brown
<lists(a)caseybrown.org> wrote:
On Thu, Aug 7, 2014 at 8:10 AM, Risker
<risker.wp(a)gmail.com> wrote:
A lot of the "solutions" normally
bandied about involve things like
two-factor identification, which has the "additional" password coming
through a separate route (e.g., gmail two-factor ID sends a second
password
as a text to a mobile) and means having more
expensive technology) or
using
technology like dongles that cannot be sent to
users in certain
countries.
Actually, most modern internet implementations use the TOTP algorithm
open standard that anyone can use for free.
<https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm>
One of the most common methods, other than through text messages, is
the Google Authenticator App that anyone can download for free on a
smart phone. <https://en.wikipedia.org/wiki/Google_Authenticator>.
Yep. This. It's already being used for high-risk accounts on
wikitech.wikimedia.org. It's not in good enough shape to be used anywhere
else, since if you lose your device you'd lose your account. Supporting two
factor auth also requires supporting multiple ways to rescue your account
if you lose your device (and don't write down your scratch tokens, which is
common). Getting this flow to work in a way that actually adds any security
benefit is difficult. See the amount of effort Google has gone through for
this.
Let's be a little real here, though. There's honestly no good reason to
target these accounts. There's basically no major damage they can do and
there's very little private information accessible to them, so attackers
don't really care enough to attack them.
We should take basic account security seriously, but we shouldn't go
overboard.
- Ryan
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l