Tubgirl is Love.

[reddragdiva]

An English Wikipedia admin account just got compromised and abused again, because the admin used "fuckyou" as a password. That's the sixth most common password, I think. The main page was deleted for five minutes and Tubgirl was put in the sitenotice.

Brion and Greg are (right now) running a password cracker over the admin accounts. If you want to keep your admin bit and know, deep in your heart, that your password is a bit rubbish, I strongly suggest changing it or it will be locked. Hint: if it shows up in Google, it's a rubbish password. Or enter it into the search box at the right of my Wikipedia blog with your username — I have a, uh, phishing detector running there. Yes, that's it. A note on the subject has been added to Wikipedia:Administrators.

Now we eagerly await Single Crack 0wnz0ring. Normal people just don't get passwords. I used to do dial-up Internet tech support. "What do you want for a password?" "Oh, [username]." "I'm sorry, you can't have it be the same." "Oh, [username]1." Suggestions? Assume we can't require an RSA keyfob for all editors.

Comments

[secretlondon.livejournal.com]

I dread to think what the results of this are going to be..

[http://users.livejournal.com/_nicolai_/]

Oh, tasty.
RSA, and other, crypto tokens suffer from key initialisation problems, but do help somewhat. Until people lose them, etc.

[secretlondon.livejournal.com]

Oh someone's posted that using an open access point allows people to see one's password. Is this the case? (It would need a tech savvy neghbour) and would the secure server stop that?

[hellsop.livejournal.com]

I wonder how many of the password "rules" are thought up by people in the shower. No "reverse dictionary word shift left" as part of a password?

[ladykathryn.livejournal.com]

For all users or admin-level only?

[reddragdiva]

A lot of locked accounts. This is high-profile enough that it'll be an arsehole magnet.

[reddragdiva]

And imagine if they become common. Banks (outside the UK) are starting to use them for online banking. I already have one for work and I expect you do too. Just what I need is a single loseable keychain with all my RSA keyfobs.

[reddragdiva]

https:// login would stop that.

[hirez.livejournal.com]

Yes (given some minor hackery. Your miscreant would need to be on the same AP and probably running ettercap (IIRC) or indeed running the AP) and yes.

[secretlondon.livejournal.com]

admin only.

[secretlondon.livejournal.com]

ok. will do. I think people who run open access points generally lack tech-foo but better to be safe than sorry.

[secretlondon.livejournal.com]

And many people are not tech savvy.

[reddragdiva]

Admin for now - that's 1200 accounts actually used by people rather than 4.3 million almost all of which were created by spambots or vandalbots. Crack-testing is not fast.

[reddragdiva]

Hence my third paragraph. We have admins who do good admin work who nevertheless can barely work computers. For its many glaring user interface defects (wikitext, anything to do with images), MediaWiki is amazingly usable by technophobes.

[ladykathryn.livejournal.com]

With a private organization and a small group that needs them, the risk of physical token loss can be greatly offset by having a replacement policy that requires the user to pay for the replacement cost. In other words, people are a hell of a lot more careful with their keyfobs when they know it's $250 coming out of their pocket.

(I lost my RSA token once. The embarassment was... excruciating. More irritatingly though, I also lost my cute little purple MagLite, my beer bottle opener, and my mini Swiss Army knife, none of which I've managed to replace. Ugh. Totally irrelevant tho.)

[hirez.livejournal.com]

Suggestions:

http://hirez.livejournal.com/126331.html (Common p/ws. John the ripper)
http://hirez.livejournal.com/126715.html (Winders non-shite p/w generator)
http://hirez.livejournal.com/127776.html (KDE version)

Though when I say 'non shite' a quick squint at the JtR config shows that the second thing it checks for is the common leet-speak substitutions.

[hirez.livejournal.com]

... Or do it on purpose.

[ladykathryn.livejournal.com]

Easiest answer: force a system-wide password change for admin users, and enforce password standards using the obvious criteria. Don't allow the dumbshit passwords to make it in. Scan routinely instead of occasionally. Good old basic sysadmin stuff. I hardly need to suggest this, right?

harder answer: I forget what it's called because it's not termtime and I've forgotten everything: you know the thing with the client-side image/phrase pair identification?

Really, really paranoid answer: security tokens, biometrics, liens on custody of firstborn, roving bands of angry security people armed with pick-axes and copies of snort. Most amusing, probably not practical.

[secretlondon.livejournal.com]

True true. However there are many more ignorant people than cyber libertarians. I think the % honeypots is even smaller.

[commlal.livejournal.com]

How hard is it to come up with a secure password. FFS.

[secretlondon.livejournal.com]

Agreed. Much easier than HTML MediaWiki was designed to be accessible to normals. To write about anglo-saxon poetry or something you shouldn't need a degree in computer science.

There is program you can run that won't let you choose a piss poor password. If that's too much for the userbase have john the ripper (or whatever) as part of requests for adminship.

[secretlondon.livejournal.com]

captcha?

[siani-hedgehog.livejournal.com]

the thing about normal people and passwords is that for most of us, most of our passwords will never be challenged at all. thus, it just doesn't seem worthwhile to come up with a good one. and the thing about good ones is that the better your password is, the harder it is to remember. i find it utterly impossible to remember all my passwords and PINs if i make them too good, and avoid too much repetition. then i end up having to write them all down, which kinda defeats the purpose...

[reddragdiva]

Yes. So what do we do about this?

[secretlondon.livejournal.com]

Some 'orrible biometric crap.