On Wed, Apr 4, 2012 at 5:43 PM, Petr Bena <benapetr(a)gmail.com> wrote:
I have seen there is a lot of wikis where people are
concerned about
inactive sysops. They managed to set up a strange rule where sysop
rights are removed from inactive users to improve the security.
However the sysops are allowed to request the flag to be restored
anytime. This doesn't improve security even a bit as long as hacker
who would get to some of inactive accounts could just post a request
and get the sysop rights just as if they hacked to active user.
Not all wikis blindly give the user their rights back when they do
this "theatrical" based security model.
For this reason I think we should create a new
extension auto sysop
removal, which would remove the flag from all users who didn't login
to system for some time,
There is already one that does this from memory (Without checking, E:LandLord)
and if they logged back, the confirmation
code would be sent to email, so that they could reactivate the sysop
account.
Again, Just theatrical security, Most people tend to use the same
passwords everywhere, if this was the case for said Sysop, Their email
is also compromised. Also this would require wikis to have email
sending setup, as well as the user to have confirmed theirs.
This would be much simpler and it would actually make
hacking
to sysop accounts much harder.
Not really, per my point above.
On Wed, Apr 4, 2012 at 5:54 PM, Petr Bena <benapetr(a)gmail.com> wrote:
More:
IP addresses which do N bad login attemps should be blocked from
accessing login page for Z minutes (You have done too many bad login
attempts, please wait 5 minutes before trying again)
This would help to avoid bots who try to compromise account by trying
random passwords
We already do this, I believe.
The target user should be notified according to their
personal config
(They could specify if they want to be warned if someone is about to
compromise their account or not)
Pointless user prefernce IMHO, we should just send them (for wikis
that have email setup) and probably inculde a note along the lines of
"You should consider making sure your password is secure, some handy
hints areā¦"
On Wed, Apr 4, 2012 at 6:16 PM, Amir E. Aharoni
<amir.aharoni(a)mail.huji.ac.il> wrote:
There's no point in making technical solutions for
problems which are
imaginary in the first place, just as you say. The English Wikipedia
community rejects the notion that sysop inactivity is a problem quite
firmly, and it does just fine. Meta, Commons, my home Hebrew Wikipedia
and some other projects do have such rules, and they are completely
pointless.
En.Wiki does de-Sysop inactivtive accounts now.