Wikipedia talk:Security review RfC

Require regular password changes
You left off the option of forcing users - or at least users with certain user-rights - to change their passwords periodically.

IMHO administrators and others with advanced user-rights (e.g. block users, delete pages/revisions, see deleted materials) should be required to change their password at least once a year and more often if they use medium- or low-strength passwords.

Administrators and other functionaries should also have to either use a WP:Committed identity or verify their contact information (either email, phone, snail-mail, or c/o someone else who has recently-verified contact info). davidwr/ (talk)/(contribs)  21:05, 7 November 2015 (UTC)


 * Consensus among security professionals is that requiring periodic password changes has, at best, no impact on security. At worst, it reduces security, by discouraging the use of strong passwords. --Carnildo (talk) 00:26, 11 November 2015 (UTC)
 * Human nature works against you when you force people to change passwords for no other reason than that a certain time has elapsed. A strong password management system is one which encourages editors to use strong passwords, and that normally requires remembering them. It's much easier to remember a single strong password (or passphrase) associated with a site than to remember a new one every 90/365/etc. days - that's what leads to password reuse across sites and is the cause of the present concerns. --RexxS (talk) 17:59, 12 November 2015 (UTC)
 * Human nature works against you when you force people to change passwords for no other reason than that a certain time has elapsed. A strong password management system is one which encourages editors to use strong passwords, and that normally requires remembering them. It's much easier to remember a single strong password (or passphrase) associated with a site than to remember a new one every 90/365/etc. days - that's what leads to password reuse across sites and is the cause of the present concerns. --RexxS (talk) 17:59, 12 November 2015 (UTC)

Preventing brute-force attacks
Brute-force attacks are only possible in three situations that I'm aware of:
 * An (encrypted) password file has been obtained from a compromised site of the WMF
 * Preventing this is obviously beyond the scope of the RfC
 * There is neither login delay (each login failure increases the delay before another login attempt is allowed), nor a limit to the number of failed attempts allowed before logging into a specific account is (temporarily) suspended.
 * Delays and limits to failed login attempts are the two key ways to prevent high-speed, automated attacks. I haven't tested logging into WMF websites to see if either is in effect; if neither is, then obviously there is a huge problem, and clearly a recommendation to be made
 * An (encrypted) password file has been obtained from a compromised site of an organization other than the WMF, and accounts with weaker passwords have been cracked (off-line). This is presumably the situation with the two compromised WMF accounts, as described here. The solution is to require a stronger password for a WMF login; if the person uses the same password at multiple sites, hopefully an attacker won't bother with the computer cycles needed to crack harder passwords, since so many accounts with weaker ones will be compromised and available first.
 * Alternatively, I suppose, WMF could provide a password manager to each person who is an admin (presumably a premium version, not a free version), somewhat of a small token of appreciation. -- John Broughton (♫♫) 00:25, 16 November 2015 (UTC)


 * You forgot "An unencrypted or easily-decrypted password file has been obtained from a compromised site of an organization other than WMF...". If the encryption is very weak, even a seemingly-strong password will be easily broken.  Unfortunately, I don't think there is anything people can do to prevent this other than not using the same password on multiple sites. davidwr/  (talk)/(contribs)  00:18, 17 November 2015 (UTC)

Closing?
This has been open just over a month, participation has slowed, and it looks like on most issues we have a pretty clear consensus one way or the other. I would call that a successful review of our security procedures, so well done Worm and everyone else who put forth an idea.

I would suggest that closing be done on a section-by-section basis. There is no need for one admin to do it all, anyone who did not participate in a particular discussion should be able to close it. When that's done, it looks like we've got some policy updates to do.

There is one problem, the proposal for requirements for stewards and the founder seems to have strong support, but regardless of that one project cannot dictate global policy, so that's more or less moot. I suppose we could submit it as an advisory vote if and when a similar discussion takes place at meta?

If there are no objections, I'll probably start closing bits of this that I didn't involve myself in tomorrow. If, after a few days there are still significant portions that are not closed we could add this to the ever-lengthening list at WP:ANRFC but that has gotten so bloated that it doesn't seem to be working very well anymore. Beeblebrox (talk) 20:17, 8 December 2015 (UTC)
 * Great minds, eh. I just added this to ANRFC. I'd close myself, but obviously that's a bad idea. Hopefully it'll be closed soon, and I'll raise similar on meta. WormTT(talk) 08:16, 9 December 2015 (UTC)
 * I've gone ahead and closed almost all of it. I started with sections I was not involved in, there were also a few where there was either unanimous or overwhelmingly obvious support or opposition so I closed those despite my involvement in them. There's just a few sections left that aren't quite as one-sided and that I did particpate in. I'm thinking of compiling a master list at the top of the page for ease of review. Beeblebrox (talk) 20:43, 9 December 2015 (UTC)
 * Did that, we just need four more sections closed to wrap things up here. Beeblebrox (talk) 21:10, 9 December 2015 (UTC)
 * Being that the rest of the cases had pretty clear-cut consensus, I've gone ahead and closed them all. Kharkiv07  ( T ) 15:48, 13 December 2015 (UTC)

WMF side
Since the RFC has closed, it looks like there are a number of specific policies we can put in place right away, and some we can plan for longer term. We can raise the length requirement to 8, and forbid common passwords. This is tracked in. Developing a password strength meter will take some extra design and developer work, so I can't commit to a firm timeline for implementing that. Auditing the passwords will take some time to setup as well, but I'm hopeful we can do that at some point in the near future.

Several users brought up two-factor authentication, and this is the solution that will provide the most benefit for protecting user accounts. The Security Team has tentatively made implementing 2FA a goal for next quarter (Wikimedia_Engineering/2015-16_Q3_Goals). CSteipp (WMF) (talk) 02:46, 11 December 2015 (UTC)


 * I should think, or at least hope, that most particpants realized that a lot of this couldn't just be done immediately and that the Foundation would need to be involved. Good to know it's on your radar, whatever the timeline.  Would 2FA be required for everyone, or just advanced permission holders? We seemed to ave a pretty strong consensus here for keeping the bar low for new users. Beeblebrox (talk) 05:01, 11 December 2015 (UTC)
 * We're mostly worried about admins. Requiring 2FA for users without any special rights would be rather drastic overkill in my opinion, and I believe that Chris feels the same way. BWolff (WMF) (talk) 10:29, 13 December 2015 (UTC)
 * I notice at the global RFC that there is mention of the master list of common names, but that many of them are too short anyway, leaving just short of 4,000 words. Is there anywhere to view that list? Beeblebrox (talk) 19:18, 14 December 2015 (UTC)
 * I downloaded the rockyou list (133MB = 14,344,392 passwords) and took the top 10,000. I then removed the (seven!) multi-word passwords and all of the passwords less than 8 characters in length. It only left 3275 words, so my regex may have been faulty, but it's probably close enough for our purposes. I've uploaded that plain text file (DOS\Windows in ANSI format) to http://www.metropolis2.com/demo/rockyou10K-8+.txt if you want to take a look at it. HTH --RexxS (talk) 21:35, 14 December 2015 (UTC)
 * Wow, some of those are pretty hilarious. Beeblebrox (talk) 01:08, 15 December 2015 (UTC)
 * @RexxS: To confirm, I did something similar before seeing the above. My results are the same as yours except for some trivial issues: I did not omit passwords with a space, and I fouled up the encoding so a few non-ASCII characters were mangled. Johnuniq (talk) 07:26, 15 December 2015 (UTC)

On-wiki side
Splitting this so things don't get jumbled. While auditing and enforcement of these new standards will require technical implementation from the WMF, it also appears that we have some new policies to write up based on these results. Currently we have User account security which is an information page. I would suggest that it stay that way as these changes won't really effect most users, and that we draft the new policy at...let's say Password strength requirements. We can always move it later if someone comes up with a better name. Beeblebrox (talk) 19:32, 13 December 2015 (UTC)


 * I've knocked together a draft policy there. I'm pretty sure I've summed up what the results of the review were there and it is ready to "go live" as policy, but would appreciate some review or re-working first if anyone sees the need. Beeblebrox (talk) 20:35, 13 December 2015 (UTC)


 * I have gone ahead and asked Jimmy, as the sole member of the founder "group" if he would be willing to just get on board now as presumably his password is already strong and not "JimboRulez!" or something. Beeblebrox (talk) 20:55, 13 December 2015 (UTC)


 * I've just marked WP:PSR as policy givent he absence of objection or other comment in the past week. Doing that may result in an influx of interest and comments however, so more eyes would be good. Beeblebrox (talk) 01:42, 21 December 2015 (UTC)

Global RfC on similar issue
There is an RfC at meta to increase the minimum length to 8 characters for users who can edit MediaWiki pages and who have access to data covered by the Nonpublic information policy (CheckUser and Oversighters) - Requests for comment/Password policy for users with certain advanced permissions. Callanecc (talk • contribs • logs) 00:21, 14 December 2015 (UTC)

Password strength checking
I'm too late to add this to the section overleaf, but I was going to recommend using zxcvbn. I see that already did, so +1 to that. —  Scott  •  talk  21:32, 14 December 2015 (UTC)