[Foundation-l] Password security notes
Jeff V. Merkey
jmerkey at wolfmountaingroup.com
Mon May 7 22:19:28 UTC 2007
Brion Vibber wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>As noted in other threads on several mailing lists, a few admin accounts
>on en.wikipedia have been compromised recently, used to vandalize
>high-traffic protected pages.
>
>We're starting to roll out some additional protections against
>password-guessing attacks, including but not limited to:
>
>* Additional logging to better detect dictionary-style attacks
>
>* Speed-bump measures against multiple failed logins
>[But not that should DoS legitimate users. The traditional "lock out the
>account after three tries" would make it trivial to lock out all the
>site's sysops -- not wise. :)]
>
>
What you should do here is after three failed attempts **CHANGE** the
password and email the new password
to the affected account. Otherwise, the account is locked up. It will
require people enter a valid email address, but oh well.
Jeff
More information about the foundation-l
mailing list