[Foundation-l] Re: [Wikitech-l] Password security

[Robert Scott Horning]

Tomasz Wegrzanowski wrote:

>brion vibber (brion @ pobox.com) wrote:
>  
>
>>While running some password security checks, I found that a handful of sysop
>>accounts had blank passwords. Probably some non-sysop accounts also had blanks.
>>
>>Affected accounts can reset the password by the automated e-mail
>>password gadget on the login form, unless of course they didn't put in an e-mail.
>>    
>>
>
>This is seriously wrong. It should be completely reversed.
>
>A lot of people have just lost their account because of this,
>and it wasn't even announced that it was coming.
>This part of the problem could be reduced if the change was
>announced in advance.
>
>  
>
For those users who do have e-mail addresses for their accounts, were 
there any provisions done to try and send a simple e-mail to those users 
asking them to update their accounts with stronger passwords? 
 Especially sysops?

While I support the actions of Brian to try and strengthen the passwords 
for user accounts, some internal notice should have been given in more 
widely read forums, of which Wikitech-l and Foundation-l are not really 
widely read forums for the typical Wikimedian.  Actually, I don't know 
of a good place, although there are several places that would work to at 
least notify a few more people than simply the e-mail lists.

I feel for Brian, however.  He is trying to secure the servers from 
idiots and vandals when Wikimedia policies encourage idiots and vandals 
to participate and wreck things.

-- 
Robert Scott Horning