On 26 October 2011 13:55, William Allen Simpson william.allen.simpson@gmail.com wrote:
Many of these accounts have expired email, so I don't see any notices. Recently, one that has a current email sent me a notice that reads in relevant part:
# Temporary password: YH2MnDD # # This temporary password will expire in 7 days. # You should log in and choose a new password now. If someone else made this # request, or if you have remembered your original password, and you no longer # wish to change it, you may ignore this message and continue using your old # password. # I use fairly long passwords with special characters (a 96 character set including space). This replacement password is much more easily guessed. The account could have been stolen within minutes or hours.
https://secure.wikimedia.org/wikipedia/en/wiki/Password_strength
(Merely 7 case insensitive alphanumeric characters is equivalent to only 40-bits of strength.)
Please update the password generator to use at least 17 characters, with at least some punctuation! (Users reading the text might have trouble noticing blanks, so don't use the space character.)
You do not seem to understand how they get access to your password these days. Far fewer people try to get through the front door. Most systems have methods against brute-forcing (e.g. waiting for 5 seconds on every third wrong guess, etc.). So brute-forcing is not desirable against the system you are trying to hack (unless you wish to deny it service).
The most likely scenario is an attempt to obtain either the database through SQL injections (probably tricky on a MediaWiki set up) or through your cookie. Most systems use a system where the hashed salted (I hope) password is saved in the cookie. Somehow getting your cookie will allow them to bruteforce the hashed sum. Although, depending on your system this can take from a few hours to a couple of years.
Few systems are going to walk up to the front door and try to knock itself in. Your system will discover the behaviour if it is clever enough.