User talk:Tim Starling/Password matches/Archive1

I don't like it. Eric B. and Rakim 16:01, 7 Jul 2004 (UTC)

You should be damn sure these matches aren't coincidence. V V   07:14, 8 Jul 2004 (UTC)

In Wikipedia:Votes for deletion/User:Tim Starling/Password matches, Lir claims it can be used to find out the passwords of various users. In theory this is true.

But it's only a problem if some innocent user picks the same password as someone who wants to abuse their account. In this case, Lir has a valid point, and it's horrible to think about. The malicious user can then use the innocent party's account to impersonate them, hiding behind their goodwill and destroying their reputation.

I don't think this is likely to occur, personally.

If two different users pick the same password, then until one of them reads this page (and you'll notice Tim hasn't linked it to their user pages, so what links here won't show it) there's no damage at all. Nobody else knows what this password is, just those two users, and neither of them knows that the other is using it. A troll or vandal isn't likely to send them a message saying "please tell me you password", or to get any useable information in response even if the do.

As soon as one of them does happen to read the page, then they should change their own password immediately, and then contact the other user to suggest they do the same. That's what most of us would do, and again no damage. We're a pretty mutually supportive bunch, most of us. If we were all trolls and vandals, that would be a different story. Andrewa 12:14, 8 Jul 2004 (UTC)


 * Andrewa, you argue that it's not a security problem &mdash; I disagree. If I understand you correctly, you're saying that A) this page has low visibility, so it's unlikely users listed here will notice the match. B) users are generally a trustworthy bunch. "A" is easily repudiated; it's appeared on mailing lists, votes for deletion, and I came here after it caught my eye on the IRC recent changes channel. As for "B", well, while "assume good faith" is a good rule of thumb for Wikiquette, it's not the best heuristic for security.
 * (copied from votes for deletion for reference and further discussion): "I think this sets a dangerous precedent; if even one of these accounts is not actually a sockpuppet, then at least two users have had their passwords revealed to each other. If this "outing" becomes a regular tool for analysing sockpuppetry, then it seems likely that a legitimate user is eventually going to be listed by mistake. If we're comparing MD5 hashes, we then don't know how common the password is, and users have a habit of choosing common passwords. (Also, don't we salt (cryptography) the passwords?)" &mdash; Matt 00:00, 9 Jul 2004 (UTC)


 * I don't think you do understand me correctly. I certainly didn't mean to say what you've called A. I do think that it's unlikely that either one of a pair of users who have innocently chosen the same password will find this out from this page. You haven't actually said whether you agree with that, you've just easily repudiated something which I did not say, but I guess you also disagree with what I did say. Is this just because you misunderstood me?


 * Indeed, It seems I have misunderstood you; sorry about that. What I do think is a risk is that a non-sockpuppet user will eventually get listed in amongst a set of sockpuppet accounts, and that as a general principle it is unwise to reveal any information whatsoever about user passwords &mdash; even MD5(Password1) = MD5(Password2). &mdash; Matt 05:06, 9 Jul 2004 (UTC)


 * If this were to be set up as a complete, automated, unreviewed special page, I'd agree. But I've seen no suggestion of this. What I've seen is a once-off, competently designed, reviewed and edited, which significantly increased the accountability of a few irresponsible users, and which they want deleted for that reason.


 * As for assume good faith, I didn't say that either. I agree it's wrong and not compatible with security. Nor did I say that users are generally trustworthy, that's your term and I suggest you avoid it, it's very confusing. Trustworthy means always and generally means not always. I do think that most users are well-intentioned, but this is a different thing IMO.


 * I didn't use the phrase "generally trustworthy". What I meant by the phrase "users are generally a trustworthy bunch" was that "most users are trustworthy". &mdash; Matt 05:06, 9 Jul 2004 (UTC)


 * If I've misquoted you I apologise. We speak of trusted systems so I'd avoid using the term trust or even trustworthy in any weaker sense than that.


 * Your approach seems to be assume bad faith. IMO that's equally wrong, quite unnecessary, and exactly what some of the ungodly want us to do.


 * OK, I'm not entirely sure what you mean here either, but a healthy dose of suspicion and paranoia are useful attributes in cryptography, and (I would have thought) in computer security in general. &mdash; Matt 05:06, 9 Jul 2004 (UTC)


 * Agreed. See below for some clues as to part of what I mean.


 * You raise some good points, but I don't think any of them support your opinion that this page should be deleted. You seem to be assuming that it is a complete, automated listing, posted without much thought, that will be rerun regularly with equally little thought. I'm not convinced that it is any of these things. Andrewa 04:10, 9 Jul 2004 (UTC)


 * Well, there's no information given here as to the usage or intentions; one user voted to expand the page. I could easily imagine a well-intentioned developer running a script to automatically extract collisions from the password table. As I mentioned above, I think the premise of revealing any information about user passwords is a flawed one; hence I voted to delete. &mdash; Matt 05:06, 9 Jul 2004 (UTC)


 * You don't need to imagine it, that's exactly what Tim has done. The principle that no information on passwords is to be revealed is in general a good policy, I've even written it into many policies over the years, and it should be the default policy in the absence of other factors. But there are other things going on here. We have a rather different user base than any commercial or defence system, for example.


 * The most important factors in maintaining security in any system are morale and motivation. This page, as it stands, has IMO enhanced both. Deleting it would, conversely, weaken security. Not by very much, I think the point has been made and the page has largely served its purpose and its usefulness, Tim may even quietly put it up for speedy delete himself before too long. The main problem of deletion now would be the vote of no confidence that it would give to him. Andrewa 10:13, 9 Jul 2004 (UTC)

Here's my reply to this from VFD:


 * I was considering checking for weak passwords by running the hashes through a standard password cracker. I couldn't find one that would accept plain MD5 input, though. Perhaps I could write my own and run a few dictionaries through it. As noted on the page, at least one of the passwords was indeed weak, namely "Troll". -- Tim Starling 01:29, Jul 8, 2004 (UTC)

The existence of weak passwords is a fair criticism, and I don't intend to post any more lists before I have some means of checking hashes to see if they represent weak passwords. And no, the hashes aren't salted. -- Tim Starling 01:02, Jul 9, 2004 (UTC)
 * Also note when Wikipedia takes over the world and expands to have around 264 users, you're likely to get MD5 hashes matching even when the users don't share a common password...(the least of our problems, of course)... ;-) &mdash; Matt 02:10, 9 Jul 2004 (UTC)

I still don't like it. Andrewa, you seem to be building your core argument on a variation of "security through obscurity" - the assumption that two well-intentioned users are unlikely to find the page under discussion and, even if they did, will be unlikely to abuse the security weakness that this page creates. I disagree. If the page is going to be effective as a troll-fighting tool, it must be made visible, not hidden.


 * It's already been devastatingly effective, that's what Lir doesn't like! And as I say above, possibly not of much further use. You seem to be arguing there are problems with something that Tim might be careless enough to do in the future. Fair enough, if that worries you, propose a policy to restrict this. I predict you'll find it more difficult than you think, and that if we adopt it we'll find it counterproductive. But have a go.

The premise of the page is that at least one of the people on the page is a probable troll - by definition, a person with ill intent. The troll is likely to know that he/she is being targeted and will be more likely than the average user to watch for these kinds of pages. While I applaud the effort and have no problem with a page that lists out probable aliases and/or sockpuppet, I think the danger came when Tim exposed his methodology by telling the world that he did built the list through password matching. Unfortunately, without exposing his methodology, the list would not have had as much credibility. It's a tough problem, but I feel strongly that we should err on the side of protecting passwords. Rossami 18:11, 9 Jul 2004 (UTC)

You also argue that the innocent user will find this quickly and will promptly change their password


 * I certainly didn't mean to. Where do I say this? I did say that if and when they find it, then they should quickly change their password, and that most of us would. That's not the same thing at all.


 * I think it's far more likely that they'd first find out when someone else (such as Tim or even me) sent them a message quietly suggesting that they change their password. If both looked innocent, it might easily be that they were valid accounts of the same person. We don't ban sock puppets, I have considered setting one up myself on occasions and in one case I sometimes wish I had. But I don't think we're interested here in one or two alter egos.

- which implies that we will only be taking this risk for a short period of time. I disagree here as well.
 * 1) Not all of our users log on every day.  Even if they did, I doubt that many people religiously watch the "my contributions" link to see if their account is being abused.  Someone could steal my account and I might not know about it for weeks.
 * 2) I again remind you that the troll is, by definition, ill intentioned.  If the troll finds the page first, this security hole could become permanent because an ambitious troll (especially after being educated through the excellent resources in Wikipedia including, unfortunately, this very discussion thread) can go to the innocent user's page and change the password.  Now, not only does the troll have another sockpuppet but this one has a real and valid history.  It will be much more difficult to verify as a sockpuppet account. And the innocent user is left screaming in the darkness, unable to even tell anyone that his/her account has been highjacked. (Okay, that was a little bit of hyperbole there at the end, but I hope you get my point.) Rossami 18:11, 9 Jul 2004 (UTC)


 * Agree with points 2 and 3 (sorry, that's now points 1 and 2 as I've messed up your format, and I can't see a better way), it's exactly what I meant to say in the second paragraph of my very first post above. Hopefully now you will understand what I was saying.

Last, I do not think these objections should be taken as a "vote of no confidence". The effort to confront sockpuppetry is a valuable fight. It is simply a concern with this particular tactic in the battle. Rossami 18:11, 9 Jul 2004 (UTC)


 * Well, I don't see what else they achieve. You seem to be proposing policy matters, most of them irrelevant to this page as it stands and instead expressing your fears at the stupid things you think might be done someday but haven't been yet. I think this discussion is important. A policy that would prohibit what Tim has done on this occasion would IMO be counterproductive, and I doubt you'll get support for it. But I could be wrong.


 * If you do propose a policy, and it's accepted and works, I'll be impressed. I'll try to be constructive in my criticism of it, and I'd certainly support a good one. Have a go.


 * One suggestion. Security and privacy are related but separate issues. I think you'll have far more joy here on the privacy line than the security line. There is no security problem. There may be a privacy concern IMO, but again I think you'll find a policy more difficult to write than you think. Andrewa 22:12, 9 Jul 2004 (UTC)


 * Not quite. I'm concerned that Tim might already have swept an innocent into this trap.


 * Let's be quite clear that there are only five passwords involved. That's all, history included. You are concerned that one of the accounts listed as using one of these five passwords may be innocent, I take it? You are then proposing that this risk will be reduced by now deleting the page. Is that it?
 * Yes. Granted, it's weak protection given how much visibility this page already has, but it's better than leaving it in history forever.
 * It's almost impossible to know. How will you or Tim send that "message quietly suggesting that they change their password" without alerting the troll? How will you sort the wheat from the chaff?
 * I'll just say it's not difficult. I'll also say that I don't think describing the exact techniques, or revealing the data that supports the choice, is in the interests of security.
 * Sorry, but I don't buy it. I may not know every trick in the InfoSec playbook, but I know a lot of them and they are either subject to their own weaknesses or they amount to very subjective and labor-intensive judgements (such as comparing edit histories).  If you or Tim are doing such a labor-intensive review, that should be the basis of the accusation of sockpuppetry, not a possible coincidence of password.  In any case, I think it's too late to try to claim that you're going to protect the information by hiding your methodology.  No offense to Tim, but if he'd chosen not to discuss how the list was compiled in the first place, we'd never be having this discussion.
 * This is admittedly a catch-22. Before I will trust you (or anyone) with the right to make such accusations and with the right to hide your methodology, you must prove your trustworthiness which means exposing your methodology - which defeats the purpose.
 * Unless I am completely misunderstanding you, the troll is one of the two in your paragraph above. As soon as the troll discovers that the list exists, he/she will be able to exploit all the IDs on the list. He already knows the password and does not need to ask the innocent victim for anything. I voted to delete the page because the longer it stays around, the more likely the probable troll is to find and abuse the account. Clearly Lir has found it, but the others on the list may not have yet.  Rossami 23:19, 9 Jul 2004 (UTC)


 * Yes, that's the sort of thing I described. I also said I didn't think there was any credible risk that it occurs on this list. I think all the IDs listed as using these five passwords are sock puppets of five users.
 * I believe you when you state your opinion that these are all sockpuppets. I do not, however, believe that statement can be proven.
 * I'm inclined to agree that we need a policy discouraging this sort of thing in the future as well. I do not see this as a privacy issue because there's not really anything of mine that you can steal except my history of contributions and my reputation as a valuable contributor. (Email address, I guess, but most people seem to make that public anyway.)  I see it as a security issue because I do care about the possibilty that someone could steal my identity and force me through the trouble of reestablishing a reputation under a new ID. Could you recommend the appropriate place to start this discussion of a proposed policy? Rossami 23:19, 9 Jul 2004 (UTC)


 * I guess a meta page. It's a whole project issue. There may be a suitable page already, I had hoped someone would provide a pointer to it. One problem will be preserving MWOT. We used to talk of motherhood security, meaning security based on high-sounding and valid principles (aka motherhood statements) that was in practice unworkable. This is far worse than none, because it gives a false sense of security and is a pure and often large overhead. I've seen lots of it over the years, don't get me started. IMO putting controls on what the developers do at this stage of Wikimedia development runs a great risk of being in that category. I could be wrong.


 * It would be a privacy issue if for example I had created a second account to deal with the discussion surrounding the Time Cube hoax, and was using its user talk page to keep my main one free of the sort of tangled illogic that surrounds that particular page. Under those circumstances I'd be a bit upset if someone blew my cover. But I don't think Tim would do that. It's not a major issue for me personally, but someone who had contributed personal experiences or frank opinions on discussion pages under one name and had also identified themselves under another could suffer enormously if those two were associated against their will. IMO these are both legitimate uses of sock puppets, and privacy should be respected. But IMO there are also cases where it's legitimate to disclose evidence that two or more accounts are the same person, as has been done here.


 * Establishing a set of rules for this may not be easy. Food for thought? Andrewa 02:20, 10 Jul 2004 (UTC)
 * I agree with you that this will not be easy. Your comment about "motherhood security" is well-taken.  It's still worth trying.  We can always take it back out if it's not working.  Let's continue this discussion at Draft privacy policy.  Rossami 16:12, 13 Jul 2004 (UTC)

May I suggest one thing? I think less controversial approach to this is to follow steps like this:


 * 1) Create the list first.
 * 2) Ask people if any two accounts deserves checking of this sort.
 * 3) Only for those ones that many people suspect, disclose the result. Regarding other accounts, no disclosure.

Tomos 23:04, 9 Jul 2004 (UTC)


 * Good suggestions IMO. Two points. One, perhaps that's what already happens. The results we have look like the output of such a process, don't you think? Two, probably something like it does (I don't know), but it's not in the interests of the Good Guys (us) to say exactly what. Security is like that. But I say again, good suggestions. Andrewa 02:20, 10 Jul 2004 (UTC)

Here's how I picked my targets. People had been asking me to check on identities, and I had been using this password method secretly for a few instances. I would then hint that yes, the evidence is pretty strong that these two people are the same. But a private tip-off leaves those Wikipedians open to attack when they make accusations and they're unable to talk openly about the evidence. This was the case with Lir and Rienzo. At this stage I also checked on a few other random people, such as Nico. But there wasn't really anything I could do with the list, since publishing the whole thing would give away my methods.

I decided that it was inappropriate to keep this method secret. It's analogous to criminal justice: everyone knows about fingerprints and DNA and gas chromatography, and the people who collect the evidence are obliged to present it to the public in full. Otherwise there is potential for abuse. Despite the fact that everyone knows about it, people are stupid and still get caught.

So I decided to go public. I recognised a lot of names from the Lir and Nico lists, and I had confirmed some of their identities in the past using IP addresses. I thought that the trolls would probably change their passwords once I had published my method, so I decided it would be better if I pre-emptively published the lists. That probably wasn't a good justification in hindsight. I checked on a few well known trolls, but only came up with the Trolls of Navarone list. I then went through Vandalism in progress, running names and looking for interesting matches. I was only interested in matches where there were a large number of matching names, and where most of the names were known vandals. WikinaziHunter was the only one to come out of that process. I then asked on IRC if anyone had any ideas for names to check. LlortTheehtTroll was suggested so I ran that one.

To those people who were worried about me accidentally revealing their passwords: if you are worried about password security, use a strong password. If you use a weak password, say a word from a dictionary, then it's trivial for an attacker to discover from the password hash, taking just seconds of computing time. Password hashes are sent in cookies if you use the "remember password" feature. -- Tim Starling 01:17, Jul 14, 2004 (UTC)

As cunning as a fox who's just been appointed professor of cunning at oxford university... nice idea!

Ojw 19:59, 11 Dec 2004 (UTC) just don't compare my MD5-hash to slashdot! ;-)