[Foundation-l] Password security notes
Brion Vibber
brion at wikimedia.org
Mon May 7 22:17:39 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
As noted in other threads on several mailing lists, a few admin accounts
on en.wikipedia have been compromised recently, used to vandalize
high-traffic protected pages.
We're starting to roll out some additional protections against
password-guessing attacks, including but not limited to:
* Additional logging to better detect dictionary-style attacks
* Speed-bump measures against multiple failed logins
[But not that should DoS legitimate users. The traditional "lock out the
account after three tries" would make it trivial to lock out all the
site's sysops -- not wise. :)]
* Weak-password checks on existing sysops on our largest sites. Several
accounts have had their weak passwords invalidated and will need to
reset by mail before logging in again.
* Several targeted blocks against known cracking attempts.
Over the coming days we will additionally be rolling out more automated
password-strength checkers at login / set-password / change-password
time to reduce the danger of guessable passwords.
Please distribute this information as appropriate to your local
projects/languages.
- -- brion vibber (brion @ wikimedia.org)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGP6WDwRnhpk1wk44RApO6AJ9q8MXXhYbVAT9+YoTOZgFwv56YbwCdH2MU
ysd+CDuI1knUHJaD1jd8wUo=
=FGTh
-----END PGP SIGNATURE-----
More information about the foundation-l
mailing list