Hello,
Is it possible to make Mediawiki generate readable and easy to remember passwords? ie. avoiding confusion between 1 and l, and using combinations of letters that are pronouncable?
Thanks
-John
John Ky wrote:
Hello,
Is it possible to make Mediawiki generate readable and easy to remember passwords? ie. avoiding confusion between 1 and l, and using combinations of letters that are pronouncable?
Thanks
-John
Hoi, There is a difference between if MediaWiki could generate passwords and if it should. When there is an engine that generates passwords, this same engine could be used to generate passwords for an attack. Choosing passwords is the end-users responsibility. It is exactly by choosing a 1 in stead of an l that a brute force attack becomes slightly more problematic.
The other thing to consider is that when MW starts generating passwords, they will then be based on English ?? Bad idea when people use other languages like Hindi or Russian.. At that the captchas doing English words is not that great an idea (though it is convenient for me).
Thanks, GerardM
Hi Gerard,
The issue isn't whether it could or should generate passwords because it already does generate passwords. The "E-mail password" functionality people use when they forget their password already generates a new password. I am asking if the generated password can be made easier to remember. The criteria I'm asking for isn't whether the generated passwords should be English, but whether they should be pronouncable - for instance "jimperbolt" or "paldyacktor" instead of "tN2HcQm".
-John
On 9/2/06, Gerard Meijssen gerard.meijssen@gmail.com wrote:
John Ky wrote:
Hello,
Is it possible to make Mediawiki generate readable and easy to remember passwords? ie. avoiding confusion between 1 and l, and using combinations of letters that are pronouncable?
Thanks
-John
Hoi, There is a difference between if MediaWiki could generate passwords and if it should. When there is an engine that generates passwords, this same engine could be used to generate passwords for an attack. Choosing passwords is the end-users responsibility. It is exactly by choosing a 1 in stead of an l that a brute force attack becomes slightly more problematic.
The other thing to consider is that when MW starts generating passwords, they will then be based on English ?? Bad idea when people use other languages like Hindi or Russian.. At that the captchas doing English words is not that great an idea (though it is convenient for me).
Thanks, GerardM _______________________________________________ Wikitech-l mailing list Wikitech-l@wikimedia.org http://mail.wikipedia.org/mailman/listinfo/wikitech-l
On 9/2/06, Gerard Meijssen gerard.meijssen@gmail.com wrote:
There is a difference between if MediaWiki could generate passwords and if it should. When there is an engine that generates passwords, this same engine could be used to generate passwords for an attack. Choosing passwords is the end-users responsibility. It is exactly by choosing a 1 in stead of an l that a brute force attack becomes slightly more problematic.
Heh, check the passwords that most people use, I bet you find they're all "puppy" and "susie".
Steve
On 9/3/06, Steve Bennett stevage@gmail.com wrote:
Heh, check the passwords that most people use, I bet you find they're all "puppy" and "susie".
IIRC, either Brion or Tim did some checking a while ago and found that many people did indeed have very short passwords. I can't find the message however, it may have had something to do with single sign-in stuff.
I do know that the ability to have an empty password was only switched off in January this year: http://mail.wikipedia.org/pipermail/wikitech-l/2006-January/033833.html
Stephen Bain schrieb:
On 9/3/06, Steve Bennett stevage@gmail.com wrote:
Heh, check the passwords that most people use, I bet you find they're all "puppy" and "susie".
IIRC, either Brion or Tim did some checking a while ago and found that many people did indeed have very short passwords. I can't find the message however, it may have had something to do with single sign-in stuff.
They shouldn't be able to check this, since passwords are stored as md5-hashes in the DB, no? -- Leon
On 9/3/06, Leon Weber leon.weber@leonweber.de wrote:
They shouldn't be able to check this, since passwords are stored as md5-hashes in the DB, no?
I believe that it was some basic dictionary checking, conducted by a script that simply reported whether or not a given common word was being used as a password. The data produced was not linked to any accounts.
On 03/09/06, Leon Weber leon.weber@leonweber.de wrote:
They shouldn't be able to check this, since passwords are stored as md5-hashes in the DB, no?
I recall coming across a page somewhere where Tim posted a list of all users who appeared to be using the same password; this was a long time ago, before salted hashing, I guess...
...your own conclusions draw you shall. :) Incidentally, the page was blanked, deleted etc. and Brion was not a happy system admin. This is also no longer possible to determine since we salt password hashes, so Don't Panic.
Rob Church
On 9/3/06, Rob Church robchur@gmail.com wrote:
I recall coming across a page somewhere where Tim posted a list of all users who appeared to be using the same password; this was a long time ago, before salted hashing, I guess...
Mostly users suspected of being Lir's sockpuppets, not all users. http://it.slashdot.org/article.pl?sid=05/05/31/172233
Angela.
On 03/09/06, Angela beesley@gmail.com wrote:
Mostly users suspected of being Lir's sockpuppets, not all users. http://it.slashdot.org/article.pl?sid=05/05/31/172233
Yes, well, whatever; nobody cares now. Grevious violation of privacy, etc, etc. slap on wrist - all administered at the time. I mentioned it as a point of interest.
Rob Church
On 9/3/06, Stephen Bain stephen.bain@gmail.com wrote:
IIRC, either Brion or Tim did some checking a while ago and found that many people did indeed have very short passwords. I can't find the message however, it may have had something to do with single sign-in stuff.
I do know that the ability to have an empty password was only switched off in January this year:
We should probably bear in mind we're talking about wikis here, not bank accounts or anything especailly confidential.
Steve
Steve Bennett wrote:
On 9/3/06, Stephen Bain stephen.bain@gmail.com wrote:
IIRC, either Brion or Tim did some checking a while ago and found that many people did indeed have very short passwords. I can't find the message however, it may have had something to do with single sign-in stuff.
I do know that the ability to have an empty password was only switched off in January this year:
We should probably bear in mind we're talking about wikis here, not bank accounts or anything especailly confidential.
Steve
Hoi, Without the benefit of an old thread it is a very cryptic remark. However, from a basic point of view without sufficiently secure passwords the notion of confidentially is severely diminished. You only consider our present requirements and with Wikiversity they WILL change. Also with the upcoming single login we will have one password for everything. If anything suggesting that "easy to remember passwords" are a good thing is something I do not share with you. I would not accept the liability that follows from bad practice when this bad practice is promoted by us as an organisation.
When people select their own passwords then it is their business to select something suitable. Given that people often do not have secure passwords, I would suggest using stronger authentication when our needs change. Thanks, GerardM
On 9/11/06, Steve Bennett stevage@gmail.com wrote:
We should probably bear in mind we're talking about wikis here, not bank accounts or anything especailly confidential.
Sysops can add arbitrary JavaScript to the page. There are over a thousand on enwiki alone.
On 9/11/06, Gerard Meijssen gerard.meijssen@gmail.com wrote:
If anything suggesting that "easy to remember passwords" are a good thing is something I do not share with you.
"Easy to remember" is different from "easy to guess", although of course the intersection of the two is large.
Steve Bennett wrote:
On 9/2/06, Gerard Meijssen gerard.meijssen@gmail.com wrote:
There is a difference between if MediaWiki could generate passwords and if it should. When there is an engine that generates passwords, this same engine could be used to generate passwords for an attack. Choosing passwords is the end-users responsibility. It is exactly by choosing a 1 in stead of an l that a brute force attack becomes slightly more problematic.
Heh, check the passwords that most people use, I bet you find they're all "puppy" and "susie".
Steve
Hoi, No, they are all "secret". GerardM
John Ky wrote:
Is it possible to make Mediawiki generate readable and easy to remember passwords? ie. avoiding confusion between 1 and l, and using combinations of letters that are pronouncable?
Really it shouldn't be generating passwords ever. :)
In the cases where it does generate a password, this should be changed to a temporary code that lets you get in just far enough to set your own password.
Among other things, this would ensure that people don't have all their account passwords sitting in their e-mail archives for any opportunist to type "password" into their Gmail search...
-- brion vibber (brion @ pobox.com)
Hi Brion,
Yes, I would prefer that solution the most. Will it make its way into the software?
-John
On 9/2/06, Brion Vibber brion@pobox.com wrote:
Really it shouldn't be generating passwords ever. :)
In the cases where it does generate a password, this should be changed to a temporary code that lets you get in just far enough to set your own password.
Among other things, this would ensure that people don't have all their account passwords sitting in their e-mail archives for any opportunist to type "password" into their Gmail search...
-- brion vibber (brion @ pobox.com)
On 9/2/06, Brion Vibber brion@pobox.com wrote:
Really it shouldn't be generating passwords ever. :)
In the cases where it does generate a password, this should be changed to a temporary code that lets you get in just far enough to set your own password.
Among other things, this would ensure that people don't have all their account passwords sitting in their e-mail archives for any opportunist to type "password" into their Gmail search...
If you ever do get convinced to generate easier passwords.. Please look at the S/KEY password system. Each phrase encodes 64bits.. which is far better than any passwords that humans are going to generate (killing gerardm's argument).
The problem with any such system is that the password is only easy for people who speak the right language..
What do the folks at the RTL middle eastern languages think of our captchas btw?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Gregory Maxwell wrote:
What do the folks at the RTL middle eastern languages think of our captchas btw?
In the Hebrew projects, it is not enabled in Wikipedia, and the users in the other projects didn't complain. Most users speak English, or can recognise English letters.
Sadly, I don't know much about the other RTL projects.
Rotem Liss wrote:
Gregory Maxwell wrote:
What do the folks at the RTL middle eastern languages think of our captchas btw?
In the Hebrew projects, it is not enabled in Wikipedia, and the users in the other projects didn't complain. Most users speak English, or can recognise English letters.
Commons does have it enabled, and it's for all wikies. Plus i have read complaints about it. This captchas are 'made for english people' which can be good or bad.
wikitech-l@lists.wikimedia.org