Normal people just *don't understand* passwords.
I used to do dial-up Internet tech support. "What do you want for a password?" "Oh, [username]." "I'm sorry, you can't have it be the same." "Oh, [username]1."
Suggestions? Assume we can't require an RSA keyfob for all editors.
- d.
On 07/05/07, David Gerard dgerard@gmail.com wrote:
Normal people just *don't understand* passwords.
I used to do dial-up Internet tech support. "What do you want for a password?" "Oh, [username]." "I'm sorry, you can't have it be the same." "Oh, [username]1."
Suggestions? Assume we can't require an RSA keyfob for all editors.
... but it would certainly not be unfeasible for all users whose details are already held by the Foundation (CheckUser, Oversight, Steward... others?). Intruiging concept - HTTPS-only RSA login for "special" users. But not very wiki-like. :-)
Yrs,
On 5/7/07, James Forrester jdforrester@gmail.com wrote:
On 07/05/07, David Gerard dgerard@gmail.com wrote:
Normal people just *don't understand* passwords.
I used to do dial-up Internet tech support. "What do you want for a password?" "Oh, [username]." "I'm sorry, you can't have it be the same." "Oh, [username]1."
Suggestions? Assume we can't require an RSA keyfob for all editors.
... but it would certainly not be unfeasible for all users whose details are already held by the Foundation (CheckUser, Oversight, Steward... others?). Intruiging concept - HTTPS-only RSA login for "special" users. But not very wiki-like. :-)
How about: you can still log in without the cert but you only get your magic privs if you have the cert?
Some bread and butter web security would help as well: * Captcha after repeated failed password attempts * Some clientside JS that advises you on estimated password strength in real time * Additional server side rejection of idiotic passwords for all accounts, even stronger for accounts with elevated access.
I also think the previously suggested 'sacrifice your sysop bit to desysop someone else' button would be good.
Moving login to another domain which is https, sending authentication back via openid, and never asking for a passowrd on a site where any user can provide JS or css would also be wise.. but I guess thats a feature that SUL would make possible.
On 07/05/07, David Gerard dgerard@gmail.com wrote:
Normal people just *don't understand* passwords.
I used to do dial-up Internet tech support. "What do you want for a password?" "Oh, [username]." "I'm sorry, you can't have it be the same." "Oh, [username]1."
Sounds like your old dial-up company didn't understand passwords either - how difficult is it to implement a system which doesn't involve everyone telling tech support their password?
Suggestions? Assume we can't require an RSA keyfob for all editors.
It's not unusual to have a set of rules passwords have to satisfy that are checked whenever an account is made or the password changed. It doesn't take much to stop the "low hanging fruit" of bad passwords (just require a certain length and require at least one letter and at least one number - dictionary searches are good too, but not as easy).
It's not unusual to have a set of rules passwords have to satisfy that are checked whenever an account is made or the password changed. It doesn't take much to stop the "low hanging fruit" of bad passwords (just require a certain length and require at least one letter and at least one number - dictionary searches are good too, but not as easy).
PS And don't contain the username, of course. (And the username backwards too, I guess)
On 07/05/07, Thomas Dalton thomas.dalton@gmail.com wrote:
On 07/05/07, David Gerard dgerard@gmail.com wrote:
Normal people just *don't understand* passwords. I used to do dial-up Internet tech support. "What do you want for a password?" "Oh, [username]." "I'm sorry, you can't have it be the same." "Oh, [username]1."
Sounds like your old dial-up company didn't understand passwords either - how difficult is it to implement a system which doesn't involve everyone telling tech support their password?
They were a phone company getting into t3h int@rw3b bizness. They ran the infrastructure on NT. It was my first tech job. I SWEAR.
- d.
Hoi, Please consider the implications of raising the requirements for passwords. At this moment we control it because we maintain our own authentication. With SUL there will be only one place where we will do our authentication.
With the requirement of having passwords of a certain quality for specific roles, it means that the people assuming such roles will have to have a verifiable quality of authentication. This will probably exclude authentication systems that do not provide sufficient strength in their authentication.
Thanks, GerardM
On 5/7/07, David Gerard dgerard@gmail.com wrote:
On 07/05/07, Thomas Dalton thomas.dalton@gmail.com wrote:
On 07/05/07, David Gerard dgerard@gmail.com wrote:
Normal people just *don't understand* passwords. I used to do dial-up Internet tech support. "What do you want for a password?" "Oh, [username]." "I'm sorry, you can't have it be the same." "Oh, [username]1."
Sounds like your old dial-up company didn't understand passwords either - how difficult is it to implement a system which doesn't involve everyone telling tech support their password?
They were a phone company getting into t3h int@rw3b bizness. They ran the infrastructure on NT. It was my first tech job. I SWEAR.
- d.
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/wikitech-l
On 07/05/07, GerardM gerard.meijssen@gmail.com wrote:
Please consider the implications of raising the requirements for passwords. At this moment we control it because we maintain our own authentication. With SUL there will be only one place where we will do our authentication.
You're right. Tubgirl on every page of the encyclopedia is far preferable.
- d.
Hoi, Don't be daft and try to understand before you spout nonsense. People consider using OpenID as an authentication source for Wikipedia. Now engage brain. Thanks, GerardM
On 5/7/07, David Gerard dgerard@gmail.com wrote:
On 07/05/07, GerardM gerard.meijssen@gmail.com wrote:
Please consider the implications of raising the requirements for
passwords.
At this moment we control it because we maintain our own authentication. With SUL there will be only one place where we will do our
authentication.
You're right. Tubgirl on every page of the encyclopedia is far preferable.
- d.
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/wikitech-l
On 07/05/07, GerardM gerard.meijssen@gmail.com wrote:
Hoi, Don't be daft and try to understand before you spout nonsense. People consider using OpenID as an authentication source for Wikipedia. Now engage brain.
Please try to refrain from attacking members of the community in good standing, regardless of whether or not they are "spouting nonsense", which David was not.
Rob Church
Hoi, Suggesting that I would be in favour of having the tubgirl on every page is hardly an example of being nice. Daft is on a par with silly. Calling that "attacking" is imho a stretch.
David is in good standing and so am I. So it would be better for him to react less primary. David does not have a license to offend either.
Thanks, Gerard
On 5/8/07, Rob Church robchur@gmail.com wrote:
On 07/05/07, GerardM gerard.meijssen@gmail.com wrote:
Hoi, Don't be daft and try to understand before you spout nonsense. People consider using OpenID as an authentication source for Wikipedia. Now
engage
brain.
Please try to refrain from attacking members of the community in good standing, regardless of whether or not they are "spouting nonsense", which David was not.
Rob Church
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/wikitech-l
On 08/05/07, GerardM gerard.meijssen@gmail.com wrote:
Hoi, Suggesting that I would be in favour of having the tubgirl on every page is hardly an example of being nice. Daft is on a par with silly. Calling that "attacking" is imho a stretch.
Telling someone they're "spouting nonsense" didn't exactly reduce the level of it, did it? By the way; your classic greeting of "hoi" is usually considered to be quite a rude way of getting someone's attention in the English speaking world. This whole cultural acceptance thing goes both ways.
Rob Church
On 5/8/07, Rob Church robchur@gmail.com wrote:
On 08/05/07, GerardM gerard.meijssen@gmail.com wrote:
Hoi, Suggesting that I would be in favour of having the tubgirl on every page is hardly an example of being nice. Daft is on a par with silly. Calling that "attacking" is imho a stretch.
Telling someone they're "spouting nonsense" didn't exactly reduce the level of it, did it? By the way; your classic greeting of "hoi" is usually considered to be quite a rude way of getting someone's attention in the English speaking world. This whole cultural acceptance thing goes both ways.
If you two want to argue, please take it to private e-mail. Development talk here, please.
On 08/05/07, Simetrical Simetrical+wikilist@gmail.com wrote:
If you two want to argue, please take it to private e-mail. Development talk here, please.
My sincere apologies to the list.
C'mon, Gerard, let's take this to the official fighting list, or as they prefer us to call it, foundation-l.
Rob Church
On 5/7/07, David Gerard dgerard@gmail.com wrote:
On 07/05/07, GerardM gerard.meijssen@gmail.com wrote:
Please consider the implications of raising the requirements for passwords. At this moment we control it because we maintain our own authentication. With SUL there will be only one place where we will do our authentication.
You're right. Tubgirl on every page of the encyclopedia is far preferable.
Gerard's point is that if we accept outside openid auth we will not be able to impose password requirements. I didn't think doing that was a goal, I think we were only planning on being an authentication source to others.
On 5/7/07, Gregory Maxwell gmaxwell@gmail.com wrote:
Gerard's point is that if we accept outside openid auth we will not be able to impose password requirements.
Or at least not easily. We'd have to basically try brute-forcing the password remotely, which will not be fun or easy or possibly even legal. Unless we can get LJ or whoever to play along.
We could just not allow OpenID logins to use sysop powers.
wikitech-l@lists.wikimedia.org