[Foundation-l] Password security

Jtkiefer jtkiefer at wordzen.net
Tue Jan 31 00:00:50 UTC 2006


Brion Vibber wrote:
> I've disabled the ability to use blank passwords on wiki accounts.
>
> For a long time we treated accounts very laxly in this regard; there generally
> wasn't _that_ much reason to secure a casual account unless you were one of the
> tiny number of sysops.
>
> In recent years though the number of sysops has exploded, and we've added
> customization features like the user javascript which are cool but potentially
> really annoying if someone gets into your account and messes with them. As a
> small concession to security and accountability, it's time for blank passwords
> to go.
>
> While running some password security checks, I found that a handful of sysop
> accounts had blank passwords. Probably some non-sysop accounts also had blanks.
>
> Affected accounts can reset the password by the automated e-mail password gadget
> on the login form, unless of course they didn't put in an e-mail.
>
> -- brion vibber (brion @ pobox.com)
>
>   
I'm surprised that blank passwords were ever allowed since they are 
probably the worst security you can make, even worse then setting your 
password as password (I wonder how many editors have that as their 
password).  Maybe in the future a more strict password security protocol 
should be established and enforced, forcing password changes every x 
days would be unduly burdensome but complexity requirements might be a 
good idea especially since as you mentioned the adminship and the 
community pool has enlarged greatly.

-Jtkiefer

p.s. any replies to this on wikitech-l please also forward to one of the 
other lists or cc directly to me otherwise I will not get it as I am not 
subscribed to that list.  Thanks.



More information about the foundation-l mailing list