By mistake, I seem to have logged in as another user. I was typing my username, when my finger slipped and I logged in before I had either finished typing my complete username, or any password whatsoever.
It seems that the user I accidently logged in as has an empty password.
* is this really possible, or have I made a mistake? * if this really is so, this is a moderate-sized security hole, because this has the same dangers as accounts with publicly accessible passwords, which are generally held to be a case for block-on-sight.
It would probably make sense to check for zero-length passwords at account creation time, and to scan for zero length and other trivial passwords on existing accounts, if possible, and issue a warning that they will be locked if the user does not change their password after (say) a month.
It would also make sense to try to enforce a simple password-checking routine, to make sure that users from now on can only set passwords that are at least slightly stronger than a single dictionary word (two short words are a surprisingly effective measure in terms of bang-per-character).
-- Neil
Neil Harris wrote:
By mistake, I seem to have logged in as another user. I was typing my username, when my finger slipped and I logged in before I had either finished typing my complete username, or any password whatsoever.
It seems that the user I accidently logged in as has an empty password.
- is this really possible, or have I made a mistake?
Yes.
- if this really is so, this is a moderate-sized security hole, because
this has the same dangers as accounts with publicly accessible passwords, which are generally held to be a case for block-on-sight.
Don't do that if your account is important to you.
It would probably make sense to check for zero-length passwords at account creation time,
On your own site, set the minimum password length. See DefaultSettings.php for all available configuration settings.
-- brion vibber (brion @ pobox.com)
Brion Vibber wrote:
It would probably make sense to check for zero-length passwords at account creation time,
On your own site, set the minimum password length. See DefaultSettings.php for all available configuration settings.
-- brion vibber (brion @ pobox.com)
The site in question is the en: Wikipedia...
-- Neil
On 12/15/05, Neil Harris neil@tonal.clara.co.uk wrote:
Brion Vibber wrote:
It would probably make sense to check for zero-length passwords at account creation time,
On your own site, set the minimum password length. See DefaultSettings.php for all available configuration settings.
-- brion vibber (brion @ pobox.com)
The site in question is the en: Wikipedia...
Brion is obliquely making the point that this is by design on en:Wikipedia.
It's something of a soft-security measure. User accounts shouldn't be terribly exciting. The fewer locks, the less fun.
wikitech-l@lists.wikimedia.org