Jump to content

Talk:Make sure you have a password/Archives/2007

From Meta, a Wikimedia project coordination wiki

Transwiki

This page was transwiki'd from wikipedia:Wikipedia:Don't leave your fly open. A list of contributors can be found there. AmiDaniel 23:05, 7 May 2007 (UTC)

I transwikied the page using the import functionality, as the English Wikipedia is now an import source here on Meta. Thank you. --.anaconda 23:12, 7 May 2007 (UTC)

Microsoft

Microsoft as a trusted third party? Why is it that newly registered hotmail accounts get spam? — Arthur Rubin | (talk) 23:10, 7 May 2007 (UTC)

Alright, when I created the essay, I wasn't trying to start a "Microsoft is teh evil!" war, but, I was pointing out that certain companies, such as Microsoft, are a trusted party when dealing with a Windows based PC. Personal opinions are moot here. Cascadia 23:15, 7 May 2007 (UTC)

nonalphanumeric characters

are non-alphanumeric characters (#, ?, etc) allowed as passwords in wikipedia? is there case sensitivity? This should be stated in the user account form. 71.240.184.74 00:17, 8 May 2007 (UTC)

I do know for fact that Special Characters are allowed, and I do believe case sensitivity is a factor. Cascadia 00:20, 8 May 2007 (UTC)
Yes, passwords are case sensitive, and special characters, including unicode, spaces, and punctuation, are allowed. As punctuation tends to be rare in passwords, using it will certainly make your password many, many times more uncrackable. I may add a note on the create account form of enwiki to this effect, but I have not the power to do this on all wikis ... AmiDaniel 02:56, 8 May 2007 (UTC)

Password checkers

I'm considering removing this link. 128+ bits of entropy recommended? We're not running a missile silo! Including this link might discourage users once they find out they need a 40+ character password. ˉˉanetode╦╩ 01:24, 8 May 2007 (UTC)

Yeah, that is way, way too critical. A password like "QasfsuUGS8171:zgei@432۟glSy" is the first that it considers "Strong". Why not something more along the lines of this one? AmiDaniel 03:00, 8 May 2007 (UTC)
because that one is 403.--MarSch 13:08, 8 May 2007 (UTC)
How many bits of entropy are enough? How many wrong passwords will an attacker realistically be able to test? If he can test a million wrong passwords, then a password with about 40 bits of entropy will be strong enough to provide million-to-one odds that he will fail. But I don't know how many wrong passwords he can test. Do you? -- 70.171.30.45 03:32, 8 May 2007 (UTC)
There is no one perfect password. The idea is to make it least likely for someone to guess your password off hand or use a simple cracker. If you happen to be the target of a sophisticated Crack Hacker, then you would be what I would call "Royaly Fucked", no matter how much you try (for a laymen anyway). The idea is to not be paranoid, just take some simple precautions.


Security is like a condom, its not perfect but it is better than nothing. (the above was not written by me) Firefoxman 16:34, 9 May 2007 (UTC)

No admin profile?

The account you use at home for web browsing should not have administrative permissions. This is the default on operating systems such as Microsoft Windows, so be sure to change this. Browsing the web with an administrator account leaves you highly susceptible to viruses and other malicious software.

Okay, I'm taking this line out because 1)It is not completely accurate and 2)We cannot, will not, should not expect people to go around having two accounts on their PC's to edit wikipedia. The idea of this essay was Simple, common step actions that anyone with a brain can accomplish. Cascadiafrom Wikipedia 04:31, 8 May 2007 (UTC)

What's inaccurate about it? And I think it's perfectly acceptable to request that all users, not just those of Wikimedia, have both an account with administrative permissions and one without. An account with administrative permissions leaves your computer highly susceptible to viruses and key- and packet-sniffers which can compromise the security of your Wikimedia account. In order to successfully install a key- or packet-sniffer, however, you need administrative permissions, and so in order to "accidentally" get one remotely installed on your computer, you have to browse the web as an administrator. I believe that notion that you should not log in as an administrator is quite common sense. AmiDaniel 04:52, 8 May 2007 (UTC)
Such items can be prevented by a good anti-virus and anti-spyware program that is setup properly. It may be a best practice, but it is not a practical application. I work in technical support, and I some times have a hard time explaining to people where the "Start" button is, much less how to create a new account and not have it have administrator privedges. The way the point was worded also makes it seem like if you do anything other than that you are performing a great sin. I'm not comfortable with asking everyone who uses Wikipedia to waste system resources by jumping back and forth between their "Wikipedia" user account and the user account they normally use. It's not practical, and it really does not prevent all attacks. Cascadiafrom Wikipedia 05:02, 8 May 2007 (UTC)
Alright, point taken, and I'll gladly let it go. I still think that this is one of the most atrocious practices that people engage in, but I do understand that it may be above some users' heads. AmiDaniel 05:05, 8 May 2007 (UTC)

Why is wikipedia warning moi?

Why is wp telling me ``Important! For your own security, please choose a secure password. See password strength or this guide for help in choosing a strong password."

I use random passwords.... Seeing this message did make me check what password I was using, and I confirmed that I am happy with it. Other less techy users may receive such a message and despite having an adequate password decide that it is not secure. They are then likely to be confused and potentially going to chose a less secure password. 147.188.192.41 16:45, 8 May 2007 (UTC)

see en:Wikipedia:Wikipedia Signpost/2007-05-07/Admins desysopped for background. 147.161.1.25 14:27, 8 May 2007 (UTC)

If you get a warning on your watchlist en: telling you to come and look at this page, does that mean that your password has been judged too weak by the system, or does everyone get that message? 207.245.124.66 12:10, 8 May 2007 (UTC)

It seems everyone gets it. 62.194.17.19 15:50, 8 May 2007 (UTC)
Prime example of confusion caused! 147.188.192.41 16:47, 8 May 2007 (UTC)

Password stength

Password strength is important, but unless Wikipedia starts using encrypted pages at login (https) any account could be hacked. --Dúnadan 15:10, 8 May 2007 (UTC)

Yes, but the recent problems have been due much more to people using weak passwords. We've haven't had any serious problems recently with hacking. JoshuaZ 20:27, 8 May 2007 (UTC)
What about BOFH using WireShark? Firefoxman 16:31, 9 May 2007 (UTC)

Other checkers

I think it would be good to list other checkers than just the MS one. For example, here is one I've used in the past that really does a good job of evaluating and explaining the evaluation... if no one complains I think I will put the link in the essay and I would encourage others to do so as well. ++Lar: t/c 19:07, 8 May 2007 (UTC)

If people haven't come across it Steve Gibson's site has much information about security and a good password generator with (techy info!) --Herby talk thyme 19:40, 8 May 2007 (UTC)
See also MyPasswordSafe (Linux) or simply Password Safe (Windows)

Microsoft Password-checker removed

Just so anyone who wants to know knows, I removed a link to a password checker since it checks passwords on that site, and transmits the passwords in plain text. I would recommend a javascript checker, or one that at least uses SSL. Firefoxman 21:54, 8 May 2007 (UTC)

Well, Wikimedia passwords are submitted in plaintext; I see no greater risk in using a password checker that doesn't use SSL. I would hope people would know not to check actual passwords with the checker -- it's just to help gauge your understanding of what a good password is. AmiDaniel 22:39, 8 May 2007 (UTC)
Well, we would hope that most sysops would login and browse using the Secure Server anyway, so no, the password would not be shown in plain text in that case. Some day there is hope of getting all logins to go through ssl, but the devs have yet to get the cookies to share w/ one another. Firefoxman 16:29, 9 May 2007 (UTC)
Firefoxman, you were right, the link needs to stay away of the page. We should never invite people to send their passwords to Microsoft. And even with a warning, some people will do it (see don't stuff beans up your nose). Therefore best leave the page clean of Microsoft if it is related to security. Fantasy 13:03, 9 May 2007 (UTC)

Does that mean I have to resign?

I'm sysop on two projects and yet due to various circumstances I need to edit from public computers in most times. According to the article, am I bound to resign from all privileges? --Deryck Chan 05:52, 9 May 2007 (UTC)

Heavens no. These are guidelines, not policy. It would, however, be a very good idea to create an alternate account for yourself and use it at public computers, rather than editing with your Sysop accounts, or simply edit anonymously. If that is not an option for you, then please, please be sure that when you are done at the public computer you log out of any and all Wikimedia accounts you are currently on, clear your browsing history, and delete your cookies and temporary internet files. Also be sure that you trust the public computers you edit at--preferably, you should only use computers that require authorization and have separate user accounts for every user of them. AmiDaniel 08:28, 9 May 2007 (UTC)
I think that using the Wikimedia SSL Server shold allow you to use public terminals in a fairly trusted way. But it's just my opinion, any pro/cons? Fantasy 09:54, 9 May 2007 (UTC)
What about keyloggers or people taking your keyboard after you forget to log out? Firefoxman 16:31, 9 May 2007 (UTC)

HTTP proxy servers

One should not have one's web browser configured to use an HTTP proxy server that one doesn't trust, too. This is not the same as not using open proxy servers. Even a limited access proxy server shouldn't be used if one doesn't trust the person who runs it. Uncle G 14:24, 24 May 2007 (UTC)