[Foundation-l] Password security

Brion Vibber brion at pobox.com
Mon Jan 30 23:52:20 UTC 2006


I've disabled the ability to use blank passwords on wiki accounts.

For a long time we treated accounts very laxly in this regard; there generally
wasn't _that_ much reason to secure a casual account unless you were one of the
tiny number of sysops.

In recent years though the number of sysops has exploded, and we've added
customization features like the user javascript which are cool but potentially
really annoying if someone gets into your account and messes with them. As a
small concession to security and accountability, it's time for blank passwords
to go.

While running some password security checks, I found that a handful of sysop
accounts had blank passwords. Probably some non-sysop accounts also had blanks.

Affected accounts can reset the password by the automated e-mail password gadget
on the login form, unless of course they didn't put in an e-mail.

-- brion vibber (brion @ pobox.com)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
Url : http://lists.wikimedia.org/pipermail/foundation-l/attachments/20060130/5d8fc1f9/attachment-0001.pgp 


More information about the foundation-l mailing list