[WikiEN-l] Please change your passwords.

Gwern Branwen gwern0 at gmail.com
Wed May 9 01:44:48 UTC 2007 

On  0, Tim Starling <tstarling at wikimedia.org> scribbled:
> Zoney wrote:
> > On 08/05/07, Matthew Brown <morven at gmail.com> wrote:
> >>
> >> We're not professional.  Except for a tiny bunch of people who work
> >> for the Foundation, we're all volunteers and our time is not
> >> especially coordinated.  Wikipedia is what it is, and part of that is
> >> that we've grown faster than our organization has.
> >>
> >> -Matt
> >>
> >>
> > The project should be managed professionally if it is indeed a serious
> > project. Otherwise it's all just a bit of a larf and it'll eventually come
> > crashing down. However, the project *is* taken seriously by those of us
> > involved, and attempts to pass itself off as a serious endeavour. Indeed
> > that mostly works, and so a large section of the media and the public take
> > the project seriously (maybe they shouldn't). That is why I consider it
> > serious for us to be so unprofessional about such a critical issue as site
> > security.
> >
> > Is there an official line on what needs to be done, and what exactly
> > administrators should do with respect to passwords? Has it been relayed to
> > each and every administrator in a proper fashion? (the email I received was
> > rather informal) Is this information put to new admins (or even ordinary
> > users) in a coherent fashion? I do not think being knowledgable on the
> > subject of password security should be a necessary criterion for a Wikipedia
> > administrator. So there needs to be a definitive process for the uninitiated
> > to follow.
>
> Who are you calling unprofessional? The people who quickly, competently
> and comprehensively fixed the problem on the server side, or the people
> who jumped up and down on the lists and wikis about the need for everyone
> to change their passwords? I think you should make that clear.
>
> -- Tim Starling

I think he's clearly referring to the community and possibly the Board; elements have not responded particularly calmly and rationally. I don't see any basis on which to criticize the developers - from what I've heard, they/you dropped everything to run the password cracker on admin accounts and begin coding up protection from guessing attacks to add to the login page.

--
Gwern
Inquiring minds want to know.

More information about the WikiEN-l mailing list