Tubgirl is Love.

[reddragdiva]

An English Wikipedia admin account just got compromised and abused again, because the admin used "fuckyou" as a password. That's the sixth most common password, I think. The main page was deleted for five minutes and Tubgirl was put in the sitenotice.

Brion and Greg are (right now) running a password cracker over the admin accounts. If you want to keep your admin bit and know, deep in your heart, that your password is a bit rubbish, I strongly suggest changing it or it will be locked. Hint: if it shows up in Google, it's a rubbish password. Or enter it into the search box at the right of my Wikipedia blog with your username — I have a, uh, phishing detector running there. Yes, that's it. A note on the subject has been added to Wikipedia:Administrators.

Now we eagerly await Single Crack 0wnz0ring. Normal people just don't get passwords. I used to do dial-up Internet tech support. "What do you want for a password?" "Oh, [username]." "I'm sorry, you can't have it be the same." "Oh, [username]1." Suggestions? Assume we can't require an RSA keyfob for all editors.

Comments

[secretlondon.livejournal.com]

I dread to think what the results of this are going to be..

[reddragdiva]

A lot of locked accounts. This is high-profile enough that it'll be an arsehole magnet.

[http://users.livejournal.com/_nicolai_/]

Oh, tasty.
RSA, and other, crypto tokens suffer from key initialisation problems, but do help somewhat. Until people lose them, etc.

[reddragdiva]

And imagine if they become common. Banks (outside the UK) are starting to use them for online banking. I already have one for work and I expect you do too. Just what I need is a single loseable keychain with all my RSA keyfobs.

[secretlondon.livejournal.com]

Oh someone's posted that using an open access point allows people to see one's password. Is this the case? (It would need a tech savvy neghbour) and would the secure server stop that?

[reddragdiva]

https:// login would stop that.

[hirez.livejournal.com]

Yes (given some minor hackery. Your miscreant would need to be on the same AP and probably running ettercap (IIRC) or indeed running the AP) and yes.

[hellsop.livejournal.com]

I wonder how many of the password "rules" are thought up by people in the shower. No "reverse dictionary word shift left" as part of a password?

[ladykathryn.livejournal.com]

For all users or admin-level only?

[secretlondon.livejournal.com]

admin only.

[reddragdiva]

Admin for now - that's 1200 accounts actually used by people rather than 4.3 million almost all of which were created by spambots or vandalbots. Crack-testing is not fast.

[hirez.livejournal.com]

Suggestions:

http://hirez.livejournal.com/126331.html (Common p/ws. John the ripper)
http://hirez.livejournal.com/126715.html (Winders non-shite p/w generator)
http://hirez.livejournal.com/127776.html (KDE version)

Though when I say 'non shite' a quick squint at the JtR config shows that the second thing it checks for is the common leet-speak substitutions.

[commlal.livejournal.com]

How hard is it to come up with a secure password. FFS.

[siani-hedgehog.livejournal.com]

the thing about normal people and passwords is that for most of us, most of our passwords will never be challenged at all. thus, it just doesn't seem worthwhile to come up with a good one. and the thing about good ones is that the better your password is, the harder it is to remember. i find it utterly impossible to remember all my passwords and PINs if i make them too good, and avoid too much repetition. then i end up having to write them all down, which kinda defeats the purpose...

[reddragdiva]

Yes. So what do we do about this?

[flowerysong.livejournal.com]

My problem is that as part of my work I have to have logins to upwards of 25 different systems (applications, OSen, etc.) each of which expires at a different time and has different criteria as to what a "secure" password is. Add in my home network, personal email accounts, various internet fora, financial institutions, et cetera and even my young, flexible mind (hah) has difficulty remembering them all.

So I reuse passwords. It's not great security, but for crap like Wikipedia that I don't use very often it's a lot easier to know that it's one of three passwords rather than a unique password that I won't remember.

[rbarclay.livejournal.com]

Suggestions? Assume we can't require an RSA keyfob for all editors.

cracklib for the password creation/changing bit, and weekly (at the very least) 2h-runs of john against the password-file. This combination works wonders against most common bullshit users come up with.

[reddragdiva]

I'm assuming a password that's written down counts as a system that's beyond humans.

[ewx.livejournal.com]

Assign random passwords rather than letting people choose them. They'll write them down, but who's going to steal someone's wallet just to vandalize Wikipedia?

[http://users.livejournal.com/_nicolai_/]

... and if you do get hardware tokens, don't get them from RSA, because RSA ones are expensive, expire (at a set date, not "wear out"), require you to use their custom authserver, do not do site licenses, and RSA patented an algorithm and then enforced their patent.
Vasco make tokens without many of these disadvantages, as do others; finding a suitably open-content/source/culture friendly vendor and hitting them up for a donation of 2000 tokens is left as an exercise.

[feanelwa.livejournal.com]

Put up a guideline advising passwords of the form [short word][number][short word] and user can draw a picture of the password that looks like an innocuous doodle? Like, um, ant6hill, an anthill with six ants standing outside.

[secretlondon.livejournal.com]

Oh and it's happened several times today. Somebody is looking for admin accounts with weak passwords..

https://secure.wikimedia.org/wikipedia/en/wiki/User:AndyZ
https://secure.wikimedia.org/wikipedia/en/wiki/User:Jiang
https://secure.wikimedia.org/wikipedia/en/wiki/User:Conscious
https://secure.wikimedia.org/wikipedia/en/wiki/User:Marine_69-71

Lets hope we find them all first.. ffs..

[damerell.livejournal.com]

When I was a Computer Officer, I'd shoulder-surf undergraduates. All else aside, "cuntflaps" is nine letters, children.

[loosechanj.livejournal.com]

Hint: if it shows up in Google, it's a rubbish password.

Well fuck there's a website. Who would have thought.

[brassratgirl.livejournal.com]

Heh. For me as well. And appearing in an Arabic-language blog. How strange. *sigh*

[vatine]

Back when I was adminning a phone system with an over-competent "check your voicemail" voice portal (including such nifty features as being able to specify a redirection number and switching redirect on via only PIN-identified, from-any-phone ability), I was draconian enough to insist on

• 6-digit PINs
• Not containing the extension backwards or forwards
• Not being in similar form to 111222, 123321, 123123, 112233
• And block the login ability after two failed attempts

.

That was hard enough to get people to understand. Eventually, "if you don't let me do this, it'll cost you MONEY, as inm hundreds of quid a day, if you're unlucky" brought the point home.

[quiet000001.livejournal.com]

Neph's suggestion for passwords for a while was "pick a lyric from a song you like, take the first letter of each word, add in a few capitals, and stick a number on the end."

I assume it's a reasonably secure method for generating them, since he cared about such things, and I always found it reasonable to remember. (One of my passwords for a while was, for example, HiwYwH42.)