User talk:Tim Starling/Password matches

This page was listed on Votes for deletion July 7 to July 14 2004, rough consensus was to keep (23 clear votes to keep against 11 clear votes to delete). Because of the length of this talk page the discussion will remain archived at Wikipedia:Votes for deletion/User:Tim Starling/Password matches. -- Graham &#9786; | Talk 00:54, 14 Jul 2004 (UTC)

Note: old (pre-Slashdot story) talk for this page has been archived: /Archive1

This was posted to slashdot today: I agree that this should be taken down. --Hoovernj 19:19, 31 May 2005 (UTC)
 * The comment
 * And the resulting story

From my (Schnee's) user talk page:

Re: password matches
all the accounts listed on this page have been created solely for the purpose of trolling

How can you be sure of that? Just because they share the same password? Or is it because they've been caught vandalizing? And if the latter, then why the need for the password matches at all?

Typogfk 19:17, 31 May 2005 (UTC)

is this reeeeally a 'low visibility' page if there are links to it in every user page included in the list? i just stumbled in here so i'm just skimming the basic philosophy behind the idea. anyway, why i say this is that someone's comment stood out on a page as sort of insidiously irritating (to someone taking my side of the argument & sort of peeved how few people question the other side of it, bla bla bla etc).. so anyway, i get curious if there's a particular reason (something in the user page pointing to a personal relationship to the issue?) this person is being a snit about the other side of the argument, and i see the link to the Tim Starling (is that your real last name?)/Password matches page. tho in the end it was o-tay to find out the person who made the irritating comment is considered squirrely, just thought i'd mention this b/c of the 'low-visibility' argument mentioned above.. the users might not be so low visibility if they tend to make comments that inspire people to go look at their user pages (when the user pages have links to this thing in them)... etc

Link the usernames
I was going to do this myself, but by the time I hit edit I found that the page was (thankfully) protected. The Slashbots are going to complain that some may be real users, so could an admin please go through and link the user pages: Lir -&gt; User:Lir ? That's the easiest way to prove that there are no innocent users listed here. --Geoffrey 19:17, 31 May 2005 (UTC) /Geoffreyerffoeg on Slashdot


 * That's not going to help much, though, as the Slashdot article cleverly links to a specific revision of the page, not the current one. Also, I did some quick checks, and it appears there are some non-trolls on the list, e.g. User:Perrak.--Eloquence* 19:28, May 31, 2005 (UTC)


 * Tim has now redirected the linked revision to the current one if the HTTP referer is Slashdot. A funny bit of custom code:

if ( $this->mTitle->getPrefixedText == 'User:Tim Starling/Password matches' &&    strpos($_SERVER['HTTP_REFERER'], 'slashdot') !== false ) {    $oldid = NULL; }


 * I expect this won't make it into the next version of MediaWiki. ;-) --Eloquence* 20:45, May 31, 2005 (UTC)

Given that you've found at least one non-troll on the list, I think the privacy concerns mentioned on Slashdot have been well validated. It's not just theoretical, it's real. I'm just astonished to find out that something like this happened here, and I'm more than a little bothered by the fact that everyone seems to keep apologizing for this dangerous recklessness on our (Wikipedians) part. Typogfk 19:44, 31 May 2005 (UTC)

(e.g. see this comment, where an admin makes excuses for this security breach by implying I'm a vandal... is this for real?) Typogfk 19:49, 31 May 2005 (UTC)

????

SALT
Why aren't the Wikipedia passwords salted?

Read this pretty good article on salt, I will add a link to this page on the Wikipedia Salt article stub: Salt (cryptography)


 * MediaWiki supports password salts, but they're disabled on the Wikimedia websites for compatibility reasons (so that old passwords that weren't salted keep working).--Eloquence* 20:49, May 31, 2005 (UTC)


 * That's not the greatest rationale in the world... perhaps we should ditch compatibility in this case? --Dante Alighieri | Talk 22:47, May 31, 2005 (UTC)


 * Our salt system was specifically designed so that the pre-salted hashes could be upgraded in a batch. See my comments below about why it wasn't turned on originally. --Brion 23:28, May 31, 2005 (UTC)


 * It should be fairly easy to write a system to upgrade users' hashes to salted hashes automatically as they log on. (e.g. IF hash field is null THEN use old password code to log them on; update database to salted hash. ELSE use new code) This seamless transitional step can be removed after most of database is updated. --


 * That's not necessary; a single database query can apply the salt in one step. I went ahead and did that during our maintenance downtime tonight. All Wikimedia wikis are currently using salted password hashes. --Brion 05:16, Jun 1, 2005 (UTC)

vfd
I think this page should go to VfD again. It is clearly not in line with the newly drafted Privacy policy (which wasn't around when Tim first made this list). Whether or not any "innocent" users were affected, security and privacy should be paramount. The policy states:


 * "Many aspects of the Wikimedia projects community interactions depend on the reputation and respect that is built up through a history of valued contributions. User passwords are the only guarantee of the integrity of a user's edit history. All users are encouraged to select strong passwords and to never share them. No one shall knowingly expose the password of another user to public release either directly or indirectly"

Wikipedia should take a firm stance on this, just because they're trolls doesn't mean we want this precedent. I would list it myself, but it's protected. -Lethe | Talk 20:57, May 31, 2005 (UTC)


 * Remember though that this was done once, and will not be repeated. Any damage that was done would have taken effect a year ago. This list is just one more way of reminding vanadals that they can indeed be tracked, even with sock-puppets. As far as incocent people go, they have either changed their passwords by now, or have had their accounts 'stolen'. If the accounts have been stolen and they can prove to Tim's satifaction that they were indeed the original account owner, then he could (and I'm fairly sure he will), return the accounts to the rightfull owner.
 * The most important thing for people to remember about this incident is that it is long over. 69.68.35.133 22:18, 31 May 2005 (UTC)
 * You missed the point -Lethe | Talk 11:14, Jun 1, 2005 (UTC)

Security is important.
This page's continued existence indicates to me that Wikipedia doesn't really think this page was such a bad idea in the first place--or at least don't understand how big a problem it is. People should not trust Wikipedia with their passwords.

Until 1) this page is removed and 2) No one has the ability to use this method (i.e. our passwords are stored securely, so that two users can have the same password but nonidentical hashes [add some salt?], I'll be telling anyone who even mentions Wikipedia that this system has irresponsible security flaws, and what's worse, that the administrators don't care. —Preceding unsigned comment added by 67.137.147.132 (talk • contribs) 21:13, 31 May 2005 (UTC)


 * I was not aware this page existed, and I'm particularly annoyed that two-bit asshats think it's fun to troll slashdot instead of, say, letting the administrators know their concerns. Having been made aware it's here, I immediately deleted it.


 * As for the storage: we have support for correctly salted passwords, but it was on hold for Wikipedia until a user account migration is done, since this could otherwise break *everyone's* passwords. However, with our current plans that won't be an issue. I'll run the update tonight. --Brion 23:26, May 31, 2005 (UTC)


 * Done. --Brion 05:17, Jun 1, 2005 (UTC)