Single Crack 0wnz0r1ng - Wikitech-l - lists.wikimedia.org

List overview All Threads
Download

Single Crack 0wnz0r1ng

Daniel Brandt Links to Google

What does it take to get DPLs...

David Gerard

7 May 2007 7 May '07

11:19 p.m.

Normal people just *don't understand* passwords. I used to do dial-up Internet tech support. "What do you want for a password?" "Oh, [username]." "I'm sorry, you can't have it be the same." "Oh, [username]1." Suggestions? Assume we can't require an RSA keyfob for all editors. - d.

Reply

Show replies by date

James Forrester

7 May 7 May

11:23 p.m.

On 07/05/07, David Gerard <dgerard(a)gmail.com> wrote:

Normal people just *don't understand* passwords. I used to do dial-up Internet tech support. "What do you want for a password?" "Oh, [username]." "I'm sorry, you can't have it be the same." "Oh, [username]1." Suggestions? Assume we can't require an RSA keyfob for all editors.

... but it would certainly not be unfeasible for all users whose details are already held by the Foundation (CheckUser, Oversight, Steward... others?). Intruiging concept - HTTPS-only RSA login for "special" users. But not very wiki-like. :-) Yrs, -- James D. Forrester jdforrester(a)wikimedia.org | james(a)jdforrester.org | jdforrester(a)gmail.com [[Wikipedia:User:Jdforrester|James F.]]

Reply

Gregory Maxwell

11:55 p.m.

On 5/7/07, James Forrester <jdforrester(a)gmail.com> wrote:

On 07/05/07, David Gerard <dgerard(a)gmail.com> wrote:

Normal people just *don't understand* passwords. I used to do dial-up Internet tech support. "What do you want for a password?" "Oh, [username]." "I'm sorry, you can't have it be the same." "Oh, [username]1." Suggestions? Assume we can't require an RSA keyfob for all editors.

... but it would certainly not be unfeasible for all users whose details are already held by the Foundation (CheckUser, Oversight, Steward... others?). Intruiging concept - HTTPS-only RSA login for "special" users. But not very wiki-like. :-)

How about: you can still log in without the cert but you only get your magic privs if you have the cert? Some bread and butter web security would help as well: * Captcha after repeated failed password attempts * Some clientside JS that advises you on estimated password strength in real time * Additional server side rejection of idiotic passwords for all accounts, even stronger for accounts with elevated access. I also think the previously suggested 'sacrifice your sysop bit to desysop someone else' button would be good. Moving login to another domain which is https, sending authentication back via openid, and never asking for a passowrd on a site where any user can provide JS or css would also be wise.. but I guess thats a feature that SUL would make possible.

Reply

Thomas Dalton

8 May 8 May

12:10 a.m.

On 07/05/07, David Gerard <dgerard(a)gmail.com> wrote:

Normal people just *don't understand* passwords. I used to do dial-up Internet tech support. "What do you want for a password?" "Oh, [username]." "I'm sorry, you can't have it be the same." "Oh, [username]1."

Sounds like your old dial-up company didn't understand passwords either - how difficult is it to implement a system which doesn't involve everyone telling tech support their password?

Suggestions? Assume we can't require an RSA keyfob for all editors.

It's not unusual to have a set of rules passwords have to satisfy that are checked whenever an account is made or the password changed. It doesn't take much to stop the "low hanging fruit" of bad passwords (just require a certain length and require at least one letter and at least one number - dictionary searches are good too, but not as easy).

Reply

Thomas Dalton

12:11 a.m.

It's not unusual to have a set of rules passwords have to satisfy that are checked whenever an account is made or the password changed. It doesn't take much to stop the "low hanging fruit" of bad passwords (just require a certain length and require at least one letter and at least one number - dictionary searches are good too, but not as easy).

PS And don't contain the username, of course. (And the username backwards too, I guess)

Reply

David Gerard

12:26 a.m.

On 07/05/07, Thomas Dalton <thomas.dalton(a)gmail.com> wrote:

On 07/05/07, David Gerard <dgerard(a)gmail.com> wrote:

> Normal people just *don't understand* passwords. > I used to do dial-up Internet tech support. "What do you want for a > password?" "Oh, [username]." "I'm sorry, you can't have it be the > same." "Oh, [username]1."

Sounds like your old dial-up company didn't understand passwords either - how difficult is it to implement a system which doesn't involve everyone telling tech support their password?

They were a phone company getting into t3h int@rw3b bizness. They ran the infrastructure on NT. It was my first tech job. I SWEAR. - d.

Reply

GerardM

4:39 a.m.

Hoi, Please consider the implications of raising the requirements for passwords. At this moment we control it because we maintain our own authentication. With SUL there will be only one place where we will do our authentication. With the requirement of having passwords of a certain quality for specific roles, it means that the people assuming such roles will have to have a verifiable quality of authentication. This will probably exclude authentication systems that do not provide sufficient strength in their authentication. Thanks, GerardM On 5/7/07, David Gerard <dgerard(a)gmail.com> wrote:

On 07/05/07, Thomas Dalton <thomas.dalton(a)gmail.com> wrote:

On 07/05/07, David Gerard <dgerard(a)gmail.com> wrote:

> Normal people just *don't understand* passwords. > I used to do dial-up Internet tech support. "What do you want for a > password?" "Oh, [username]." "I'm sorry, you can't have it be the > same." "Oh, [username]1."

Sounds like your old dial-up company didn't understand passwords either - how difficult is it to implement a system which doesn't involve everyone telling tech support their password?

They were a phone company getting into t3h int@rw3b bizness. They ran the infrastructure on NT. It was my first tech job. I SWEAR. - d. _______________________________________________ Wikitech-l mailing list Wikitech-l(a)lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/wikitech-l

Reply

David Gerard

4:41 a.m.

On 07/05/07, GerardM <gerard.meijssen(a)gmail.com> wrote:

Please consider the implications of raising the requirements for passwords. At this moment we control it because we maintain our own authentication. With SUL there will be only one place where we will do our authentication.

You're right. Tubgirl on every page of the encyclopedia is far preferable. - d.

Reply

GerardM

4:47 a.m.

Hoi, Don't be daft and try to understand before you spout nonsense. People consider using OpenID as an authentication source for Wikipedia. Now engage brain. Thanks, GerardM On 5/7/07, David Gerard <dgerard(a)gmail.com> wrote:

On 07/05/07, GerardM <gerard.meijssen(a)gmail.com> wrote:

Please consider the implications of raising the requirements for

passwords.

At this moment we control it because we maintain our own authentication. With SUL there will be only one place where we will do our

authentication. You're right. Tubgirl on every page of the encyclopedia is far preferable. - d. _______________________________________________ Wikitech-l mailing list Wikitech-l(a)lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/wikitech-l

Reply

Rob Church

5:31 a.m.

On 07/05/07, GerardM <gerard.meijssen(a)gmail.com> wrote:

Hoi, Don't be daft and try to understand before you spout nonsense. People consider using OpenID as an authentication source for Wikipedia. Now engage brain.

Please try to refrain from attacking members of the community in good standing, regardless of whether or not they are "spouting nonsense", which David was not. Rob Church

Reply

GerardM

1:26 p.m.

Hoi, Suggesting that I would be in favour of having the tubgirl on every page is hardly an example of being nice. Daft is on a par with silly. Calling that "attacking" is imho a stretch. David is in good standing and so am I. So it would be better for him to react less primary. David does not have a license to offend either. Thanks, Gerard On 5/8/07, Rob Church <robchur(a)gmail.com> wrote:

On 07/05/07, GerardM <gerard.meijssen(a)gmail.com> wrote:

Hoi, Don't be daft and try to understand before you spout nonsense. People consider using OpenID as an authentication source for Wikipedia. Now

engage

brain.

Please try to refrain from attacking members of the community in good standing, regardless of whether or not they are "spouting nonsense", which David was not. Rob Church _______________________________________________ Wikitech-l mailing list Wikitech-l(a)lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/wikitech-l

Reply

Rob Church

9 May 9 May

3:46 a.m.

On 08/05/07, GerardM <gerard.meijssen(a)gmail.com> wrote:

Hoi, Suggesting that I would be in favour of having the tubgirl on every page is hardly an example of being nice. Daft is on a par with silly. Calling that "attacking" is imho a stretch.

Telling someone they're "spouting nonsense" didn't exactly reduce the level of it, did it? By the way; your classic greeting of "hoi" is usually considered to be quite a rude way of getting someone's attention in the English speaking world. This whole cultural acceptance thing goes both ways. Rob Church

Reply

Simetrical

3:56 a.m.

On 5/8/07, Rob Church <robchur(a)gmail.com> wrote:

On 08/05/07, GerardM <gerard.meijssen(a)gmail.com> wrote:

Hoi, Suggesting that I would be in favour of having the tubgirl on every page is hardly an example of being nice. Daft is on a par with silly. Calling that "attacking" is imho a stretch.

Telling someone they're "spouting nonsense" didn't exactly reduce the level of it, did it? By the way; your classic greeting of "hoi" is usually considered to be quite a rude way of getting someone's attention in the English speaking world. This whole cultural acceptance thing goes both ways.

If you two want to argue, please take it to private e-mail. Development talk here, please.

Reply

Rob Church

4:03 a.m.

On 08/05/07, Simetrical <Simetrical+wikilist(a)gmail.com> wrote:

If you two want to argue, please take it to private e-mail. Development talk here, please.

My sincere apologies to the list. C'mon, Gerard, let's take this to the official fighting list, or as they prefer us to call it, foundation-l. Rob Church

Reply

Gregory Maxwell

8 May 8 May

4:49 a.m.

On 5/7/07, David Gerard <dgerard(a)gmail.com> wrote:

On 07/05/07, GerardM <gerard.meijssen(a)gmail.com> wrote:

Please consider the implications of raising the requirements for passwords. At this moment we control it because we maintain our own authentication. With SUL there will be only one place where we will do our authentication.

You're right. Tubgirl on every page of the encyclopedia is far preferable.

Gerard's point is that if we accept outside openid auth we will not be able to impose password requirements. I didn't think doing that was a goal, I think we were only planning on being an authentication source to others.

Reply

Simetrical

8:52 a.m.

On 5/7/07, Gregory Maxwell <gmaxwell(a)gmail.com> wrote:

Gerard's point is that if we accept outside openid auth we will not be able to impose password requirements.

Or at least not easily. We'd have to basically try brute-forcing the password remotely, which will not be fun or easy or possibly even legal. Unless we can get LJ or whoever to play along. We could just not allow OpenID logins to use sysop powers.

Reply

6236

days inactive

6237

days old

wikitech-l@lists.wikimedia.org

Manage subscription

15 comments

7 participants

tags (0)

participants (7)

David Gerard
GerardM
Gregory Maxwell
James Forrester
Rob Church
Simetrical
Thomas Dalton