My staff email is boring. You're more than welcome to break in.
-Chad On Aug 7, 2014 7:27 PM, "Pine W" wiki.pine@gmail.com wrote:
There are "good" reasons people would target checkuser accounts, WMF staff email accounts, and other accounts that have access to lots of private info like functionary email accounts and accounts with access to restricted IRC channels.
Pine
On Thu, Aug 7, 2014 at 11:21 AM, Ryan Lane rlane32@gmail.com wrote:
On Thu, Aug 7, 2014 at 6:58 AM, Casey Brown lists@caseybrown.org
wrote:
On Thu, Aug 7, 2014 at 8:10 AM, Risker risker.wp@gmail.com wrote:
A lot of the "solutions" normally bandied about involve things like two-factor identification, which has the "additional" password coming through a separate route (e.g., gmail two-factor ID sends a second
password
as a text to a mobile) and means having more expensive technology) or
using
technology like dongles that cannot be sent to users in certain
countries.
Actually, most modern internet implementations use the TOTP algorithm open standard that anyone can use for free. https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm One of the most common methods, other than through text messages, is the Google Authenticator App that anyone can download for free on a smart phone. https://en.wikipedia.org/wiki/Google_Authenticator.
Yep. This. It's already being used for high-risk accounts on wikitech.wikimedia.org. It's not in good enough shape to be used
anywhere
else, since if you lose your device you'd lose your account. Supporting
two
factor auth also requires supporting multiple ways to rescue your account if you lose your device (and don't write down your scratch tokens, which
is
common). Getting this flow to work in a way that actually adds any
security
benefit is difficult. See the amount of effort Google has gone through
for
this.
Let's be a little real here, though. There's honestly no good reason to target these accounts. There's basically no major damage they can do and there's very little private information accessible to them, so attackers don't really care enough to attack them.
We should take basic account security seriously, but we shouldn't go overboard.
- Ryan
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l