[WikiEN-l] Fwd: Password reminder from Wikipedia

[Skyring]

On 7/6/05, Rowan Collins <rowan.collins at gmail.com> wrote:

> Besides, if this was a banking site, I'd take these issues a bit more
> seriously; if someone just wants to impersonate or disadvantage you on
> Wikipedia, I'm sure they could find simpler ways anyway.

BookCrossing uses a similar mechanism, but it's the original password
that gets sent out to the registered email address. Problems come when
this email address is one no longer in use, and then we have to ask
questions based on information stored on the profile that isn't
publicly available.

I think the only serious attempt at abuse we had was a disgruntled
ex-husband who wanted to delete his ex-wife's account. He didn't know
her password, he wasn't on the email address, and when we asked him
her birthday, he didn't know it!

It is good practice to change your password immediately after getting
a password reminder. As noted above, it deletes your temp password and
you can then choose one that you can either remember easily or scrawl
on a post-it and throw away a week later.

And again, what precisely is at risk here? WP is a project where just
about everything is revertable (and frequently is). If my on-line
banking was compromised but I could easily reverse any transactions, I
wouldn't be too concerned.

And after all, WP allows anyone to edit anything. We seem to deal with
malicious users quite well, at least until such people reach senior
positions in the WP heirarchy.

Probably the only real damage (apart from annoyance and confusion)
that could be done by a compromised password is the alteration of
private details, and I would hope that these could be restored
reasonably easily when the real editor complains.

-- 
Peter in Canberra (the real one)