Wikipedia:Wikipedia Signpost/2007-05-14/Committed identity

In the wake of last week's report of five administrator accounts being hijacked by having their passwords cracked, Mangojuice (with the help of several others) has proposed a method that editors can use to identify themselves as the original account holder to regain control of a hijacked account. At this writing, about 300 users have confirmed their identities using this method.

What is it?
Template:User committed identity gives editors a way to later prove that they are the person who was in control of their account on the day the template was placed. This is done by putting a public commitment to a secret string on the user page so that, in the unlikely event that their account is compromised, they can convince someone else that they are the real person behind the username, even if the password has been changed by the hijacker.

How it works
An editor chooses a secret string; this is a group of words and numbers or a phrase known only to the account holder. The secret string can be any length; a good string will contain at least 15 characters and include unique information that only the account holder would know, such as a phone number or private e-mail address (not the address associated with your wikipedia account). The secret string is then processed through a cryptographic hash function such as SHA-2 (SHA-512, SHA-384, ...) or SHA-3 to generate a unique hash value or commitment. The commitment is placed somewhere in the editor's User space. If the account is compromised or hijacked, the editor provides the secret string to a trusted administrator or a developer, who verifies that the secret string matches the commitment value. Because the hash function is "one-way", it is impossible to calculate backwards to find a string value matching a given hash value, and the odds of a random string having the same hash value (a Hash collision) is negligible. Therefore, knowing the string that produces a given value is very strong evidence that the person giving the string is the person who originally published it. Once the string is verified, the developers can reset the password to allow the original account holder to regain control.

Alternatively, a user could create a PGP keypair and place the public key on their user page, and then prove their identity by using the private key to sign any message the challenger wants signed. However, this requires more technical competence, and it is necessary to ensure the private key file is well-protected (it is no longer a simple message, although it can of course be encrypted with a passphrase).

Example
For example, User:DonaldDuck1 chooses a "secret string" that includes the names and birthdate of his nephews. His string is,

Hewey, Dewey and Louie, October 17, 1937.

However, if DonaldDuck1 has mentioned his family on Wikipedia, this might be too easily guessed. A useful variation would be

Hewey October Dewey 17 Louie 1937. Egg salad is murder!

Using this web site to calculate the SHA-512 hash value produces

b43f3e39de3f501217144badfc64687a2f516d5d1205d89e51c003715f8609adfbd085afcac3839f7d1008d185e4ab0040edecf62671dbf66a825823e7d3ad42

User:DonaldDuck1 would then put the hash value on his user page using Template:User committed identity like this:

which looks like this:

In the event that DonaldDuck1's account is compromised or hijacked, he can e-mail the string to the Wikimedia Foundation office. If the hash value of the string matches the hash value previously posted on his user page, he will have proven that he is the rightful account owner.

Resources

 * Calculate some common hash values
 * Calculate a SHA-3 hash value