On Wed, Oct 26, 2011 at 1:55 PM, William Allen Simpson < william.allen.simpson@gmail.com> wrote:
# Temporary password: YH2MnDD # # This temporary password will expire in 7 days. # You should log in and choose a new password now. If someone else made this # request, or if you have remembered your original password, and you no longer # wish to change it, you may ignore this message and continue using your old # password. # I use fairly long passwords with special characters (a 96 character set including space). This replacement password is much more easily guessed. The account could have been stolen within minutes or hours.
https://secure.wikimedia.org/wikipedia/en/wiki/Password_strength
(Merely 7 case insensitive alphanumeric characters is equivalent to only 40-bits of strength.)
I do seriously wonder whether it is possible to steal such a password 'within minutes or hours'. My calculation says that to do it within 24 hours, one needs to test 40 million passwords per second. And remember that 'testing' in this case means sending a message to the Wikimedia servers and waiting for an answer. Surely getting over 1000 times the normal number of requests per second (I have no number for the total number of requests, but the number of page requests seems to be around 6000 per second) is something that would not remain unnoticed at the Wikimedia servers for 24 hours.
Please update the password generator to use at least 17 characters, with at least some punctuation! (Users reading the text might have trouble noticing blanks, so don't use the space character.)
The more sensitive way of working, in my opinion, would be to invalidate the temporary password after a certain, low, number of tries, and allow a temporary password only a restricted number of times within a certain period. For example, if the password is expired after 5 failed login attempts, and a new temporary password is only sent once a minute, an attacker is effectively reduced to one attempt per 12 seconds, making cracking a 62-alphabet, 7-character key such as this one a task which takes in the order of one million years.