If we're going to be giving "sysop" status fairly liberally (and I don't disagree with that as a policy), you might consider still making at least one concession to database security: currently, anyone with sysop access can query the database and see users' passwords in plaintext. People tend to use the same password for several things--so it wouldn't surprize me at all if I were able to log onto Magnus's email account or something.
It shouldn't be too much work to use some minimal encryption there.
Yes! I suggested that we have a separate 'is_developer' status. I assume that in addition to the problem you mentioned, people could also issue destructive commands easily enough.
I suspect that even with is_developer, we should also do something about the password problem. I don't think there is any good reason to store the passwords in plaintext.
Well, there's one -- it's nice to be able to email someone their password if they forget it. But a better (more secure) solution is to email them a *new* password if they forget their *old* one.
The way this should work is this:
1. If you forget your password, you can just enter your email address on the site.
2. A new password is randomly selected and mailed to your email address. At this juncture, though, *either* password should work, both the old and the new. (This prevents a denial-of-service pest from locking you out by requesting your password every 5 minutes, thus causing your old one not to work.)
3. If you log in with your new password, it replaces your real password. Or else you are prompted to select a new password at that point.
4. If you never log in with the new password, nothing else needs to happen. Your old one will still work.
In any event, ALL of these passwords should be stored encrypted.
-------------
The key is to protect against people being annoying, while also giving some degree of security.
Wikipedia passwords aren't so precious -- but still, a certain level of security makes good sense. It isn't so much a concern about people "breaking into your wikipedia account" -- in the old days, the whole notion of an "account" was a total fiction anyway. It's more the concern raised by Lee -- people shouldn't, but they do reuse passwords for both sensitive and nonsensitive things.
As for me, you can now use my password from the wikipedia database to see all sorts of things requiring free registration all over the web. :-)
On ven, 2002-03-29 at 16:48, Jimmy Wales wrote:
I suspect that even with is_developer, we should also do something about the password problem. I don't think there is any good reason to store the passwords in plaintext.
Agreed.
The way this should work is this:
- If you forget your password, you can just enter your email address on the site.
We should probably make sure that there's an e-mail address field on the signup page; I suspect most people haven't put their address into the receptacle in the prefs box. Hence accounts and e-mail address aren't reliably linked.
-- brion vibber (brion @ pobox.com)
wikitech-l@lists.wikimedia.org