Wikipedia:Articles for deletion/User:Tim Starling/Password matches

'''This page is an archive of the discussion surrounding the proposed deletion of a page entitled User:Tim Starling/Password matches. Further comments should be made on the talk page rather than here as this page is kept as an historic record. The result of the debate was to KEEP (23 votes against 11 to delete).'''

Re: User:Tim Starling/Password matches

Not only does this page contain false accusations; not only does it represent an abuse of Tim Starling's administrative powers; but, it can be used to find out the passwords of various users. Lirath Q. Pynnor 00:23, 7 Jul 2004 (UTC)
 * This article is not helping to fight vandals; it gives the incorrect impression that I have a number of different accounts -- I do not. The page is wholly inappropriate. Lirath Q. Pynnor
 * Why should we believe you? Snowspinner 04:52, Jul 7, 2004 (UTC)
 * Keep. Taco Deposit 02:41, Jul 7, 2004 (UTC)
 * Keep - Makes fighting vandals that much easier. -  T&#949;x  &#964;  ur&#949;  03:09, 7 Jul 2004 (UTC)
 * Delete - Invasion of privacy and abuse of admin powers. &#9758;spencer195 03:37, 7 Jul 2004 (UTC)
 * I can see why you might say that. Perhaps you'd have more chance of getting it deleted if you got the other 33 accounts with the same password as you to vote here as well. -- Tim Starling 01:39, Jul 8, 2004 (UTC)
 * Erm - Spencer195 isn't listed on the page... Secretlondon 15:03, 8 Jul 2004 (UTC)
 * Keep. &rarr;Raul654 03:38, Jul 7, 2004 (UTC)
 * Keep. Nice try, Lir. Ambivalenthysteria 03:57, 7 Jul 2004 (UTC)
 * Keep. An excellent service for tracking pests like Lir. Adam 04:21, 7 Jul 2004 (UTC)
 * Keep. Seems useful --Jerzy(t) 05:39, 2004 Jul 7 (UTC)
 * No reason to delete. (But no reason to believe this will work much longer, either. It's astonishing it wasn't foreseen by Lir or our Norwegian friend.) Ruhrjung 10:39, 2004 Jul 7 (UTC)
 * Keep. -Sean Curtin 17:58, 7 Jul 2004 (UTC)
 * If my assumption is correct and this is a list of vandal's passwords, by all means keep! The "vandalism in progress" page is far too long and if we can cut some vandals off at the roots, fantastic! - Lucky 6.9 19:09, 7 Jul 2004 (UTC)
 * Seems like a keeper already, but I'll put my keep in just for the heck of it. Cheesing off trolls is always a worthwhile endeavour...Fire Star 20:15, 7 Jul 2004 (UTC)
 * Delete. While this may be evidence of vandals making use of sockpuppets, it may also be coincidence.  I recently ran a security scan of my company's LAN passwords.  About two percent were the same or very close variants of one word (and, no, it wasn't "password").  If even one account was included in the list by coincidence, you have just exposed a valid user's account up to abuse by that vandal. To me, the risks outweigh the benefits. Rossami 23:21, 7 Jul 2004 (UTC)
 * I was considering checking for weak passwords by running the hashes through a standard password cracker. I couldn't find one that would accept plain MD5 input, though. Perhaps I could write my own and run a few dictionaries through it. As noted on the page, at least one of the passwords was indeed weak, namely "Troll". -- Tim Starling 01:29, Jul 8, 2004 (UTC)
 * Keep it. Nice try, fucker troll. -- Schnee 02:30, 8 Jul 2004 (UTC)
 * Keep. Seems like a handy tool for identifying sock pupputs, particularly if their editing patterns also match.  Not that sock puppets usually fool people anyway, but this saves time. Isomorphic 02:52, 8 Jul 2004 (UTC)
 * Keep. Very interesting. Maybe expand a little and nominate for featured article? (-> Maybe not. Anyway, keep up the good work, Tim, I'm a bit surprised it worked so well. The VfD nomination above, on the other hand, should be archived to BJAODN. Funniest thing I've read in ages. Andrewa 05:47, 8 Jul 2004 (UTC)
 * Keep. I tried to see how it can be used to find out the passwords of various users as alleged above. My mental powers must be entering the much-anticipated long dark night because I can't figure it out. --Phil | Talk 09:37, Jul 8, 2004 (UTC)
 * Keep and comment -- Let's say you happen to choose the same password that UserABC uses. Your username would show on UserABC's list.  UserABC would then know your password and could edit under your login until you realized the situation and changed your password.  While technically possible, this is actually quite unlikely to happen.  Even in this unlikely case, the only potential loss of private data that I can see is the "valid user's" e-mail address.  SWAdair | Talk  10:06, 8 Jul 2004 (UTC)
 * Comment: It's not a problem IMO, but it's theoretically possible, see the talk page. Andrewa 12:17, 8 Jul 2004 (UTC)
 * Both theoretically possible and a problem. See the talk page. Rossami
 * Yes, this did tell all account holders in each group the password of all other account holders in that group. Worth recalling that Tim has ample additional tools to confirm relationships between accounts before choosing to make a list like this available. Jamesday 06:07, 12 Jul 2004 (UTC)
 * Keep and expand. Snowspinner 15:38, Jul 8, 2004 (UTC)
 * Delete. I don't know anything about the user(s) in question, but I know a little about computer security, and I think this sets a dangerous precedent; if even one of these accounts is not actually a sockpuppet, then at least two users have had their passwords revealed to each other. If this "outing" becomes a regular tool for analysing sockpuppetry, then it seems likely that a legitimate user is eventually going to be listed by mistake. If we're comparing MD5 hashes, we then don't know how common the password is, and users have a habit of choosing common passwords. (Also, don't we salt (cryptography) the passwords?) &mdash; Matt 15:42, 8 Jul 2004 (UTC)
 * Comment: No problem. Please see the talk page and feel free to debate me there, I thought the reference above was clear but it seems we must clutter VfD a little more. I have 20 years professional experience in computer security, just BTW. Andrewa 20:19, 8 Jul 2004 (UTC)
 * Delete. Aforementioned security reasons. (But note that I don't spend much time vandal hunting,m myself.) General Wesc 12:13, 2004 Jul 9 (UTC)
 * Delete, for the same reasons. -- pne 15:08, 10 Jul 2004 (UTC)
 * Keep, if only to keep Tim Starling from being falsely accused and receiving negative publicity he certainly does not deserve. &mdash; Personally, I don't see anything wrong with the page. &mdash; Timwi 15:13, 10 Jul 2004 (UTC)
 * Keep. First, this is a user subpage, and it would be sheerly by accident a non-knowledgeable user got here, second, the names I recognise on this list are well and truly vandals, and having ready access to commonly-used "back-door" passwords will help keep them in check. Moreover, the disclosure of these passwords is likely to render them ineffective, forcing said users to create new acounts. Denni &#9775; 01:27, 2004 Jul 11 (UTC)
 * Get rid of this!! I can't believe any of you are OK with this. If Wikipedia had a privacy policy--and its lack of one appears to be a matter of laziness more than anything else (see here)--the existence of this page would be so clearly over the line that those responsible ought to be drawn and quartered. It seems likely there are legitimate users listed on the page whose passwords happen to be identical to sock puppets', and if--WHEN--they find out about this page, they certainly aren't going to be happy that their passwords have been compromised. This kind of thing makes me uncomfortable just having an account on Wikipedia, if site administrators like Mr. Starling are going to play this fast and loose with user information. Be more responsible, for Chrissake. Wikisux 12:13, 11 Jul 2004 (UTC)
 * Do remember that Tim also has the tools to check the internet proximity of the accesses to the site by the accounts. Jamesday 06:07, 12 Jul 2004 (UTC)
 * See below. Wikisux 06:51, 12 Jul 2004 (UTC)
 * Keep page. Delete trolls. Cribcage 22:25, 11 Jul 2004 (UTC)
 * Delete. Identify vandals by their vandalism, not by their passwords! Spectatrix 00:56, 2004 Jul 12 (UTC)
 * Keep. - Hephaestos|&#167; 02:12, 12 Jul 2004 (UTC)
 * Delete! I am aghast &mdash; the stated goal is good, but this is totally not the right way of handling it! Jeeves 04:08, 12 Jul 2004 (UTC)
 * And just what happens to a user that might innocently and coincidentally have the same password as one of these people? If two different people have the same password, and that fact is posted here, they just found out that they can fake being each other, and the less scrupulous is likely to do so. Please, please, please delete. -- Jmabel 06:02, Jul 12, 2004 (UTC)
 * It's probably safe to assume that Tim was aware of that and did other checks. Jamesday 06:07, 12 Jul 2004 (UTC)
 * Keep. It's a useful tool to identify possible relationships between accounts but does need cross-checking to eliminate bogus matches (which I assume Tim did). Jamesday 06:07, 12 Jul 2004 (UTC)
 * I hope you assume right, but Tim's comment above (about not having filtered out weak passwords) suggests otherwise. In any case, password equivalence between different accounts should never be public knowledge. This bears repeating: This information should NOT be publicly accessible. Either find a way to make it private to administrators, or kill it entirely. This is the kind of thing that will expose Wikipedia to lawsuits. Wikisux 06:51, 12 Jul 2004 (UTC)
 * Keep in this instance, but publishing this kind of information should be done as reluctantly as disclosing IPs of logged-in users. --Michael Snow 00:10, 13 Jul 2004 (UTC)
 * Keep. This MUST stay as PUBLIC information.  I suggest everyone on this list should be banned from the site for about a month.  Its trolls like them that ruin the spirit of Wikipedia.  Also, keeping this would give a chance for everyone on Wikipedia to protect the encyclopedia from these "weak-passworded" trolls.  As Wikipedia grows, so will the number of troublemakers.  Updating a public list like this will give an ordinary person to track down all these trolls and stop them before they terrorize Wikipedia and its contributers.  If I had more free time, I would go through everyone on the list and leave a message on their talk to quit Wikipedia or suffer the consequences for trolling. Cody The Blue Bomber 03:30, 13 Jul 2004 (UTC)

Comment: I'm not sure that everyone voting to keep this page has fully thought through the implications. As Rossami notes above, "If even one account was included in the list by coincidence, you have just exposed a valid user's account up to abuse by that vandal." It is both prudent and reasonable to expect such a vandal to discover the existence of this page before the innocent and unsuspecting user, thereby gaining access to that user's account. This is bad enough on its own, but consider that the vandal will now be in the possession of somebody's password and email address (by going to Preferences)--opening up infinite possibilities for abuse both on and off this site.

And this is not just theoretical. Different people choose identical passwords all the time, as earlier comments show. To formalize this process of matching passwords, in public, as a regular activity would be an appalling misuse of users' private account information. Even condoning it as an appropriate use of the user database is irresponsible, at best. In fact, there is no way for us to be certain that this page hasn't already compromised a legitimate user's account information. It is absolutely vital, therefore, that the information contained on this page is hidden from those who would abuse it--i.e., the vandals listed on it. If we can't take it private, we should delete it. Either way, we need to email the accounts listed on this page to notify them that unless they're one of the vandals Tim was intending to catch, their passwords have been compromised. Wikisux 06:24, 13 Jul 2004 (UTC)

Comment: I believe the ends justify the means in this situation. Suppose that a few valid users do end up getting their accounts taken by trolls. Eventually, those trolls will be blocked from Wikipedia. The only real loss is the valid users rebuilding their reputation, which isn't hard to do since Wikipedia is so addicting. Overall, Wikipedia would have cast out tons of trolls along with their sockpuppets, lies, and daily annoyances which are only detrimental to the encyclopedia. The only real loss is the valid users starting over. Besides, they were dim enough to choose such easily guessed passwords they deserve to start over and they might even learn to choose their password more carefully next time. It seems the minor disruption caused FAR outweigh the benefits of keeping Wikipedia free from trolls. Cody The Blue Bomber 17:43, 13 Jul 2004 (UTC)
 * I disagree. Wikipedia is not that addictive.  Frankly, if it happened to me, you'd lose me as a contributor. What makes Wikipedia attractive is the sense of community. Losing my reputation means that I lose all my sense of connection with that community.  The assertion that I would somehow deserve this because my password was matched is insulting beyond belief and degrades the sense of community all by itself. Trolls have been a manageable problem up till now without risking the exposure of my password.  What is it that you think has changed which justifies taking these risks with my password? Rossami 18:52, 13 Jul 2004 (UTC)


 * Delete - This info may be useful for an administrator in conjunction with other logs in building a case, but should not be published, innocent wikipedians may get blacklisted. --Buster 17:40, Jul 9, 2004 (UTC) (Vote moved here from vfd main space by Graham &#9786; | Talk)

This page is now preserved as an archive of the debate up to the point of deletion and, like other '/delete' pages is no longer 'live'. Subsequent comments on the issue, the deletion or on the new method of assessing voting, should be placed on other relevant 'live' pages. Please do not edit this page.