User:Johnuniq/Security

Thoughts on security, initially for a reply at WT:ACN.

Hacking of Wikipedia accounts
Many admin and non-admin accounts have been compromised at Wikipedia (over 30 at enwiki and more at other Wikipedias). Almost certainly that has been done by attackers matching the list of admins with lists of user accounts hacked on other websites and finding cases where the hacked password was reused at Wikipedia.

Security recommendations
Use a unique password for your Wikipedia account. The password should be different from any other password you use now, or have used in the past, at any other website or organization.

Use a different unique password for any email address associated with your account. Having an attacker guess your Wikipedia password would be bad enough, but it would be much worse if they can also guess your email account password.

Any unique password of reasonable length is probably good enough for use at Wikipedia if attackers never get access to Wikipedia's internal database. To avoid having your password hacked even if the database is exposed, a long password should be used such as a unique sentence of 32 or more characters.

See:
 * Password strength requirements
 * meta:Make sure you have a password
 * Village pump (policy) (permalink)

Checking whether a password has been hacked
Troy Hunt created Have I Been Pwned? (HIBP) at https://haveibeenpwned.com/

Anyone can enter their email address at HIBP to determine whether that address (and possibly associated passwords) has been exposed during the numerous cases of systems being hacked. People who are not comfortable entering their email address have other choices.

One option is to enter your password at Passwords to see whether it is unique. If you are not comfortable entering your email address, you probably will not want to enter your password. The website claims that (if you have JavaScript enabled in your browser) whatever you enter as your password will be hashed on your computer and only the hash will be sent over the internet to the website. However, to avoid phishing, the golden rule is to never enter your password except when you are certain you are logging in at the authentic website.

It is possible to check whether a password has been exposed during hacks that have been made public using a method explained at Slashdot and documented at HIBP. In summary:


 * Find the SHA-1 hash of your password using software on your computer (see SHA-1 hash below).
 * Split the hash into two parts: the first five characters and the rest.
 * Paste  in your browser after replacing "XXXXX" with the first five characters of your hash.
 * Use your browser's search function (Ctrl-F) to search for the rest of the hash.

For example, assume the password is.
 * SHA-1 hash of "password": 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
 * First five characters: 5baa6
 * Remaining characters: 1e4c9b93f3f0682250b6cf8331b7ee68fd8
 * URL to visit: https://api.pwnedpasswords.com/range/5baa6
 * Search for  (case insensitive) on that page.

In December 2018 the example found:
 * 1E4C9B93F3F0682250B6CF8331B7EE68FD8:3533661

This result indicates that "password" has been used on hacked accounts 3,533,661 times.

For another example, the password  has hash   and searching https://api.pwnedpasswords.com/range/9f056 in December 2018 showed that accounts operated by various people with that password had been hacked 7 times.

SHA-1 hash
Various methods are available to generate a SHA-1 hash.


 * To do: Some of the procedures below may not work with passwords using Unicode characters. HIBP uses the SHA-1 hash of a UTF-8 encoded password.

Sandbox
Warning: If you accidentally publish the following edit, your password will be saved in the history of the sandbox! If that happens, undo your edit with an innocuous edit summary ("fix") and follow the instructions at Requests for oversight.

Module:IPblock has a function that can calculate a SHA-1 hash. Edit your sandbox and replace its contents with

after changing  to the password to be hashed, then preview the edit. The hash can be copied from the previewed sandbox page. When finished, close the browser window to discard the edit. Do not click Publish changes.

Python
If Python is installed on your computer, and assuming a password does not contain quote or apostrophe, one of the commands below could be used to obtain its SHA-1 hash. On a Windows computer these would be entered at command prompt (run ).

If Python 2 is available, use the following after replacing  with the password to be hashed. python -c "import hashlib; print hashlib.sha1('password').hexdigest"

If Python 3 is available, use the following after replacing  with the password to be hashed. python -c "import hashlib; print(hashlib.sha1('password').hexdigest)"

Linux
The sha1sum utility is often available on Linux systems and can be used from a terminal. For example, if the password being hashed is  enter: echo -n "password" | sha1sum The result should show  which is the SHA-1 hash and   to indicate that the input was from the command line, not a file.

Any quote characters in the password need an extra backslash. For example, if the password being hashed is  enter: echo -n "abc\"xyz" | sha1sum

macOS
In Applications > Utilities open Terminal and enter: echo -n "password" | openssl sha1 The result should show  which is the SHA-1 hash. This assumes the password being hashed is.

Windows
The File Checksum Integrity Verifier can be downloaded from Microsoft. No installation is required. Expand the download in a directory, run cmd.exe and change to that directory. Create a text file called, for example,  that contains the password with no extra spaces or newlines. When looking at the file in Notepad, there must be only one line (pressing the cursor down key should not move the cursor). At command prompt in the directory containing  enter: fciv -sha1 pw.txt

The text file must be saved with ANSI or UTF-8 encoding and there must not be a BOM before the text. Any BOM would be included in the hash meaning the result would be wrong.

Web calculator
If you are prepared to enter your password into a website, use: text2hash (requires JavaScript).