Wikipedia Leaks Some Users' Passwords

JJ Budion writes "If you've signed up for an account on Wikipedia.org, you may want to check this page to make sure you're not on there. It seems certain users with identical password hashes can find other user names with the same password, and Wikipedia (despite being alerted) has done nothing about the problem for the last year. A good (although slightly inflammatory) description of the problem can be found here. This is probably a good occasion to remember to use strong passwords (apparently only users with common passwords, like dictionary words, are affected)."

A few points

[daveschroeder]

To be clear, this isn't a case of Wikipedia "leaking" passwords or allowing some kind of exploit via technical means; this is Tim Starling deciding to specifically and literally publish a list of usernames that share the same password, ostensibly for the purpose of revealing trolls and flooders with multiple accounts.

From the looks of a few of the lists (RickK, RíckK, RìckK, RiÄkK, RïckK, RiÄkK; Mäximus Rex, Maximus Rex, MaximusRex; JíangSlumDawg, JiangFlungDung; LlortTheehtTroll, LlörtTheehtTröll; The Two Trolls,The Fellowship of the Troll,The Return of the Troll,The Trolls of Navarone,Troll Silent, Troll Deep,The Trolling Stones, RangelaND Visa CONtroll), it would appear that some of these are indeed obvious duplicate accounts (whether or not they're "trolls" is, I imagine, beside the point).

But it seems that he also caught a bunch of innocent folks who just happen to share the same password, not beyond the realm of comprehension for a password used for an "online" non-financial, non-critical site on a service with thousands of users. The submission makes it seem like Wikipedia knew about some kind of "exploit" and did nothing; rather, it seems like Wikipedia is content to let potential, and indeed confirmed in one case as admitted on the page, abuse of innocent users' privacy continue in the name of exposing possible (admittedly annoying) trolls. (That's my own take on the situation, anyway.)

Interestingly, Wikimedia's (draft?) Privacy Policy says:

Many aspects of the Wikimedia projects community interactions depend on the reputation and respect that is built up through a history of valued contributions. User passwords are the only guarantee of the integrity of a user's edit history. All users are encouraged to select strong passwords and to never share them. No one shall knowingly expose the password of another user to public release either directly or indirectly.

It appears that, in this case, Wikimedia itself is implicitly "knowingly" releasing passwords to the public. One of the many problems with a community site for which there is no central responsible authority. Anyone who hasn't yet would do themselves well to read the summary of the issue linked in the submission.

Re:A few points

The page should be removed on the basis that it is an utterly futile attempt at revealing alter ego accounts and has a non-zero chance of hurting innocent users. However, it should be noted that the people who are most vocal about this are indeed vandalists. Not removing the page to spite the trolls was a stupid decision and gave them much more publicity than they could have hoped for if the other wikipedians had acted sensibly.

Re:A few points

[Olix]

How the hell did you get first post?!?

Well, good for me!

[TheRealMindChild]

I guess it is a good thing that I use "TheCowJumpedOverMyMotherInLaw" as my password... no one will ever figure that one out

Re:Well, good for me!

[Rei]

The key thing about making strong passwords that they do (but don't explicitly state) is that acronym passwords with occasional letter substitution are very strong, and easy to remember. They took the letter substitution to an extreme (and thus making it harder to remember as well), but the key is that acronyms are mostly random (they're letter and capitalization weighted, and don't usually contain numbers/symbols, but they're overall quite good compared to other types of easily rememberable passwords).

Just as a comparison, turning the parent's comment into an acronym password (with no substitution - substitution helps!) produces something like:

IgiiagttIu"amp.noweftoo

(no, you don't need a password that long to be secure :) )

Re:Well, good for me!

[glib909]

Well, my password is:

1 ... 2 ... 3 ... 4 ... 5

Re:Well, good for me!

[jx100]

Dammit, I need to change the code on my luggage now!

Re:Well, good for me!

[peragrin]

You should randomize that a bit. for sake of easy memory try this one

1.....2....3...4..5.

I mean doesn't eveyrbody use three periods in between their numbers?

Re:Well, good for me!

[pilot1]

You're right!
"TheCowJumpedOntoMyMotherInLawAndCrushedHe r" seems to be a more popular password.

Re:Well, good for me!

[samkass]

Must... resist... can't... help... myself...

That's the same combination on my luggage!

Re:Well, good for me!

[spacecowboy420]

Best sig, and one of the best albumns ever.

Re:Well, good for me!

[Punkrokkr]

A coworker stopped by my office one day bemoaning the fact that he couldn't tell anyone his password (without changing it). Apparently it was so clever and funny that he wanted to tell everyone what it was so they would think he was a clever and funny guy.

Re:Well, good for me!

[ShortSpecialBus]

Thank goodness for me that I use "MyMotherInLawJumpedOverTheMoon" on my account...

Re:Well, good for me!

Your mother-in-law did a somersault?

Re:Well, good for me!

[snorklewacker]

Funny thing that -- I actually use passwords that are embarrassing to say, which has the side effect of not revealing them to anyone. Stuff like "sm00chyk1ns" and "grumpygu5" (like that, those aren't actual passwords).

Those are the sorts of passwords I assign to people as well when they forget passwords (I'm not normally in a role of resetting passwords, but I have a few apps where I'm the gatekeeper). Gives people an incentive to change them.

Re:Well, good for me!

[mizhi]

Sure, that'll work until someone figures out that your mother in law is the moon.

If you're a troll on Wikipedia,

[MrAnnoyanceToYou]

Please make yourself a new account or two. Seriously, the rather inflammatory summary didn't tip off the on-duty editor that this might not be that big a deal? 100 names out of how many? Gimmie a break.

Additionally, every single post I've seen associated with this looks like someone just looking to drum up trouble for Wikipedia. Look at the list, and you'll notice that a lot of them, yes, are copies. And if they're not copies, you should have used a better password anyways, there's not even numbers in those... On top of that, the developer in charge of that little page seems like quite a decent fellow.

Shame to you for not editing that summary a bit.

Re:If you're a troll on Wikipedia,

[pomo+monster]

"And if they're not copies, you should have used a better password anyways, there's not even numbers in those"

Right. It's THEIR fault, they DESERVED to have their passwords leaked. What a wonderful attitude.

Potentially up to 100 accounts and passwords are compromised, and you don't think it's a big deal? Especially since there's no policy in place to guarantee the same thing won't happen again?

OK, so the real number is probably only a couple dozen, not 100. I still don't think it helps in this situation to be an apologist for Wikipedia.

Re:If you're a troll on Wikipedia,

[dsanfte]

If you don't like the summary bit, go ahead and edit it. Oh wait...

Re:If you're a troll on Wikipedia,

you should have used a better password anyways, there's not even numbers in those

Those aren't passwords, those are usernames.

So now LlortTheehtTroll knows he can log in as Boson, Dmbowden, Jjshapiro, etc. Possibly they were different accounts before, but now they're all the same account.

Re:If you're a troll on Wikipedia,

[Geoffreyerffoeg]

you should have used a better password anyways, there's not even numbers in those...

Those aren't passwords. Wikipedia hashes the passwords. The titles are the name of one user in each group. The summary's assertion about strong passwords is irrelevant; the only thing they compared was the password hashes.

Re:If you're a troll on Wikipedia,

[NumbThumb]

mod parent up, he's right.

Just get this into your head: no passwords have been leaked! If two of the accounts in each section where not created by the same person, then the password would be compromized (the other person would know it's the same as his/her own). But that's the only problem.

My guess would be that this would be true for at most two pairs of accounts on that page. Bit probably, none at all.

Re:If you're a troll on Wikipedia,

[Raul654]

Yes, as a matter of fact, it *is* their fault. The people in question used sockpuppet accounts in order to cause harm to Wikipedia in all sorts of unpleasant ways (and then deny any connection to those accounts). Exposing them in the middle of their lies was sweet justice. This list would have never been published if they weren't doing this, as (just so we're clear) now that the cat's out of the bag, this trick won't be useful anymore.

Re:If you're a troll on Wikipedia,

[ArsenneLupin]

then the password would be compromized (the other person would know it's the same as his/her own).

... and, as these are passwords were singled out because at least one of the accounts was used for vandalism, chances are that the "other person" is the kind of person who you really don't want to knowingly share a password with.

My guess would be that this would be true for at most two pairs of accounts on that page. Bit probably, none at all.

All depends on how smart/mischievous the vandals were. If the vandals picked real common passwords, chances are they caught a couple of innocent naive bystanders.

Ok, so now vandals have caugh a small number of accounts with really common (i.e. weak...) passwords.

Q: Who uses weak passwords (apart from other vandals trying to pull off the same stunt)?
A: Newbs!

Q: And what other errors do newbs do with passwords?
A: Reuse the same accross several sites (Slashdot, Amazon, and if the vandal is lucky: a bank...)

See the problem?

Re:If you're a troll on Wikipedia,

[pomo+monster]

Yes, I don't doubt that's true for most of the usernames on the list. But what about the people who had nothing to do with any of it? On the talk page, User:Eloquence says he's found some users who appear to be innocent (I imagine by pawing through their contributions history).

This does not reflect well upon us as Wikipedians.

Re:If you're a troll on Wikipedia,

In the real world, it takes more than one piece of evidence to declare someone guilty of a crime (unless that evidence is really juicy). Here too it should take more than just a password match to declare someone a troll. I can see if an admin took this list, gathered more evidence on each match, double-checked with another admin, and published a refined list of those accounts that are extremely likely to be trolls. But just publishing raw data that is otherwise unavailable to the public is a complete breach of trust and nothing short of vigilatism.

Re:If you're a troll on Wikipedia,

Yeah, let's line 'em up against the wall and stone 'em too, eh? My story:

I use a single password for sites like wikipedia, but I use different usernames on different sites. This way others can't follow all my tracks on the net and are less likely to deduce my real ID, even if I leave little bits of personal information at each site. On a site like wikipedia, I may sign-up one year to make a few edits, then forget what username I used, and then two years later sign-up with a new username but the same password (since I always use the same password, but different usernames). Does that make me a troll or a sockpuppet? Have I caused any harm to Wikipedia? No!

That's why most civilized country have well-defined judicial systems and procedures, to stop hot-headed vigilantes like you from stoning innocents like me. It looks like wikipedia, or at least this particular administrator, doesn't believe in following procedures that protect the innocent.

Re:If you're a troll on Wikipedia,

[SA+Stevens]

Q: Who uses weak passwords (apart from other vandals trying to pull off the same stunt)?

Richard Stallman. (grep the page for 'passwords')

Re:If you're a troll on Wikipedia,

> Just get this into your head: no passwords have been leaked!

They were leaked to other people who happened to have the same password. Also, since two different users sharing the same password indicates that the password is weak, attackers know what accounts they can attack with a more likely change of success.

Wiki-passwords?

[pianorain]

Bah...you mean that I can't edit other people's passwords too?

I've said it before

and I'll say hit again, hotgrits is not a safe password

"News"?

[TripMaster+Monkey]

Um...didn't this happen like a year ago?

Re:"News"?

[Rev.LoveJoy]

Yes, but K5 had a story in the queue (warning, may go away) yesterday so some /. whore had to post an executive review for the masses.

Cheers,
-- RLJ

Re:"News"?

[moonbender]

Of course, the K5 story was probably inspired by the Slashdot comment posted on May 29th which the story links to. Or maybe some Slashdot reader submitted the story after reading the comment.

Re:"News"?

[rbullo]

No, they were submitted by the same person at the same time. See this reply to my post in that thread.

Shame on Wiki

[goldspider]

If they're going to succeed in portraying Wikipedia as a mature, reliable alternative to traditional encyclopedias, then they aught to make damned sure that their ducks are in a row. Their disregard of customer concerns is a shameful.

If, in the long-term, Wikipedia's image is tarnished by this, it is well-deserved.

Re:Shame on Wiki

[fredrikj]

Exposing troll accounts is shameful?

Re:Shame on Wiki

Hey, there's nothing wrong with fascist administration.

But incompetent fascist administration is another matter entirely!

Re:Shame on Wiki

And in order for you to be taken seriously, you ought to learn how to spell.

Re:Shame on Wiki

[Rei]

You did your post wrong, and are just asking to have other editors come along and fix it for you. To save this from a hundred edits, I'll go ahead and try to get them all at once:

If they're going to succeed in portraying Wikipedia as a mature, reliable alternative to traditional encyclopedias, they ought to make damned sure that their ducks are in a row. Their disregard for customer concerns is shameful.

If, in the long-term, Wikipedia's image is tarnished by this, it is well-deserved.

See also:
* Wikipedia (external link)

Re:Shame on Wiki

[pomo+monster]

You don't understand. There's no guarantee all those accounts belong to vandals; in all likelihood, there's at least a few on that list whose only mistake was to pick a weak password, like a dictionary word. Which is admittedly a stupid thing to do, but they certainly don't deserve to have Wikipedia hand their password to trolls on a silver platter.

Re:Shame on Wiki

[jdavidb]

You don't understand. This list is a year old. If there was anybody on it who wasn't a troll, that's been long since fixed.

My guess, since you seem so emotionally vested in this (judging by your multiple comments on this thread) is that you are one of the trolls in question. Of course, you already know this, so I'm just mentioning it for the other readers out there.

Re:Shame on Wiki

[pomo+monster]

"My guess, since you seem so emotionally vested in this...is that you are one of the trolls"

Beg pardon? You're right on one count--I am emotionally invested in this, as I have an account on Wikipedia (User:Typogfk). If my being concerned about Wikipedia's keeping my password a secret makes me a troll, then I guess I must be a troll. Clearly only a troll could be bothered by the exposure of innocent users' passwords, am I right?

Re:Shame on Wiki

[Raul654]

My guess, since you seem so emotionally vested in this (judging by your multiple comments on this thread) is that you are one of the trolls in question. Of course, you already know this, so I'm just mentioning it for the other readers out there.

Amen, brother (--A member of the arbitration committee)

Re:Shame on Wiki

[jdavidb]

Name one innocent user whose password was compromised in that YEAR OLD list.

Perrak does not count as he is not an active user.

Get over yourself.

Why am I feeding the troll?

Re:Shame on Wiki

[houghi]

You don't understand. This list is a year old. If there was anybody on it who wasn't a troll, that's been long since fixed.

I just saw that list. How should I have known that I was on the list.

Re:Shame on Wiki

[jdavidb]

You weren't on there, were you?

Re:Shame on Wiki

[pomo+monster]

Huh? "Perrak doesn't count as he is not an active user"? I take it, then, if you took a break from Wikipedia and your password was exposed to various vandals and trolls while you were gone, you'd be all right with that.

I just can't believe you don't understand the concern here. "Troll" indeed.

Re:Shame on Wiki

Oh yes, another exposed Troll now whining on Slashdot about their troll accounts getting exposed. Get over it; we don't want your trolling kind on Wikipedia and would prefer it if you got off of the net entirely.

Re:Shame on Wiki

[jdavidb]

I can't believe you, either, but it has made for an enjoyable afternoon of entertainment.

Re:Shame on Wiki

[STrinity]

Name one innocent user whose password was compromised in that YEAR OLD list.

So shoddy security practices are okay so long as the compromise remains potential only?

Re:Shame on Wiki

[jdavidb]

Given that the developer involved agreed that this would be shoddy security if practiced on a regular basis, apologized, and has agreed not to make such a list any more, I'd say we're fine.

If anything, this should have been an uproar a year ago.

Re:Shame on Wiki

> Exposing troll accounts is shameful?

No, but the pathetic security of mediawiki and therefore all of wikimedia sure is. How many millions of guesses did the server allow before it gave up those passwords? Or does it just give up the hashed passwords for everyone to peruse?

Re:Shame on Wiki

[Aerion]

Now if only we could VfD lame Slashdot stories.

Re:Shame on Wiki

[fbjon]

No passwords have been leaked. The article summary is totally bogus. Nothing you see on the wikipedia page has anything to do with anyone's password (except the really blatant 'troll'x10 one). The page merely shows groups that have the same password.

Re:Shame on Wiki

It's called "ironic hypocrisy," Mark. Look into it.

You and your ilk fuck up Wikipedia every bit as badly as Lir, Wik, and the rest of the vandalous nimrods. You're just two opposite extremes, equally damaging to what should have been a simple, workable project.

Re:Shame on Wiki

[YOU+LIKEWISE+FAIL+IT]

Yeah, I always suspected the Rust and Sun belts were some kind of ridiculous troll myth. ( Idiot ).

-- YLFI

Re:Shame on Wiki

they aught to make damned sure

"ought".

Their disregard of customer concerns is a shameful.

"is shameful".

the two guys

the two guys with "Ilovetehfatchicks" as their password who showed up on each others list are just looking at each other right now. They know the other guy knows, but nobody else does, so the uncomfortable, pregnant, silence continues.

Time to change my password...

[yotto]

...To "tr0ll" I guess.

Re:Time to change my password...

[JUSTONEMORELATTE]

Wow... that means it's time for me to change my password from "tr0ll". Damn!

1 2 3 4 5

[bestguruever]

Cue the spaceballs references ...

Re:1 2 3 4 5

Hey, that's the same combination to my luggage!

Ask and ye shall receive.

Passwords...

[aicrules]

Perhaps they should try this:

http://en.wikipedia.org/wiki/Password_policy

to try to avoid this:

http://en.wikipedia.org/wiki/Password_cracking

40 years of UNIX

[Jeffrey+Baker]

Salt, anyone?

Re:40 years of UNIX

[Phoenixhunter]

I think I'm too young to get this reference. Anyone care to englighten me?

Re:40 years of UNIX

[Gumshoe]

When creating a hash it is often a good idea to add a little random data (ie. salt) to the input so that people can't infer a correct passwd simply by comparing hashes, as happened in this Wikipedia case. There's no need to add salt in all cases of hashing but it's a good idea when dealing with sensitive information.

In case anyone's wondering, you obviously need to store the salt somewhere but it's of no use unless you know the original password to add it to. In other words, reversing the hash with the salt is as difficult as reversing it without.

Re:40 years of UNIX

Trivially, you add a string to the user password before hashing to prevent this. More

Re:40 years of UNIX

[odsign]

In a non-bonehead password scheme, user passwords are stored after running them through a one-way hash function. A quantity of random data can be added to the password before hashing, to prevent identical passwords from producing the same hash, thus revealing the fact that they are identical. This is called a salt, and can be left out in the open. To check a password, you put the entered password and the unprotected salt together, hash them, and check the value against that stored.

Re:40 years of UNIX

Disclaimer: I have no knowledge of the password authentication on Wiki.

Wouldn't an md5 hash as the one way has function make salt less useful?

As I understand it, salt was originaly added to increase the size of the file necessary for a dictonary attack. Instead of having to compute one hash for 'dog' you now have to compute 256 hashes for the same word making the work for a password cracker much harder (potentialy 256 times longer than before).

The reason for this was that the crypt() function for passwords only works on 8 characters and thus the entire dictonary file is fairly easy to enumerate.

With md5 sums the length of the password is unlimited thus making the work of the cracker much harder - the space of the password is no longer count(printable)^8.

I can still see use for salt - it would help protect those who have bad passwords by making things that are guessable needing only one pass. I mean with a rather ugly script it only took me about 3 minutes to md5sum each line from a 25k word dict file.

If you use a good password with md5, salt is useless. If you have a poor password, you have a poor passwrd.

Doesn't know diddly about hashing

[fuzzy12345]

Anyone who thinks its a hash collision problem, but that only people with 'weak' passwords will be affected doesn't understand hashing.

Anyone who, in this day and age, writes a system whereby two users assign themselves the same password and end up with the same hashed password ought to be shot. Add a little SALT!

Re:Doesn't know diddly about hashing

[Nytewynd]

The funny thing is that someone's uber-secure password might be hashed right onto a dictionary word if the coder is a clown. Imagine finding out your password of "7,g/1jI-1?m" got hacked because it hashed onto "password".

Re:Doesn't know diddly about hashing

[Nos.]

Suppose it did, how would that help. Knowing your encrypted passwords hash, doesn't help much in cracking it, aside from being able to run brute force on your own systems as opposed to the actual system.

Re:Doesn't know diddly about hashing

That looked like a vi command for a second.

Re:Doesn't know diddly about hashing

[Transient0]

i think the orifianl poster was suggesting that there could be a hash collision between "7,g/1jI-1?m" and "password".

this is true, but so unlikely as to simply be disregarded.

Re:Doesn't know diddly about hashing

If they were both hashed with a different salt as suggested, that would not be an issue.

Re:Doesn't know diddly about hashing

[kisielk]

Actually, if you put a : before the 7 it becomes a valid command, in Vim at least :)

Re:Doesn't know diddly about hashing

[leuk_he]

and the change to that happening random is far less then 1 to 26^7

Re:Doesn't know diddly about hashing

[nusuth]

someone's uber-secure password might be hashed right onto a dictionary word if the coder is a clown.

And how does not being a clown prevent that? The number of exactly 7 letter combinations without case sensitivity is more than that can be uniquely enumerated in a 32 bit number. Consider all non-letters and case sensitivity, it is impossible to prevent zillions of uber-secure looking passwords' hash collide with the hash of "password"

Re:Doesn't know diddly about hashing

[alnjmshntr]

I don't think you are understanding the grandparent.

Saw this on K5

[Nos.]

I really believe this is an abuse of privileges, or a gross security oversite by Tim Starling. Knowing this information, I could likely gain access to these users' accounts on other, completely unrelated systems. Suppose I was on one of those lists (I'm not). Immediately, I know the password of everyone in my group. Now, suppose I start searching other sites, like /. for those usernames. Think they might use the same password on two different systems?

Re:Saw this on K5

[aicrules]

Think they might use the same password on two different systems?

Not me! You couldn't hack into my account that way! No siree! I always use different passwords for each site that I'm on. That way, even if the site is unscrupulous I have nothing to worry about on the other 500 sites I have accounts on.

Unfortunately, to remember them all I just use the name of the site as the password for my account.

Re:Saw this on K5

[FidelCatsro]

Prefacing your password with the name of the site is nto always a bad idea , for expample Wikipedia100Greenbottlestandingonthetreatmentgroun ds1000metersaway .. that was one of my old paswords(changed a bit) I use things like that to trigger memorys of the password .
Actualy i use the name of the site at the start then have a song to remember the rest of the password.

Re:Saw this on K5

[fredrikj]

Suppose I was on one of those lists

The only way you could be that is if you were a troll who had created multiple sockpuppet accounts.

Re:Saw this on K5

[Talondel]

Liar! I just tried to log into your account here and the password isn't 'slashdot' or any common variation thereof.

Re:Saw this on K5

[pomo+monster]

Yeah, or if you happened to use the same password as one of those trolls. Not hard to imagine.

Re:Saw this on K5

[Geoffreyerffoeg]

Immediately, I know the password of everyone in my group.

Big deal. Everyone in each group is the same person. That was the point of the list...to find "sock-puppets," people who create multiple accounts for the purpose of harassing, getting around bans, etc.

You already presumably know your own password.

Re:Saw this on K5

[temojen]

And then you could use that knowlege to tarnish the reputation of a troll.



(RTFA to see whose passwords they gave out.)

Re:Saw this on K5

[STrinity]

Big deal. Everyone in each group is the same person

According to the theory of the person who compiled the list. And there's abolutely no chance -- nuh-uh, none -- that these passwords might be common because they're common words.

Re:Saw this on K5

[fbjon]

No, you don't know the password, because the password is not written on that page. The password for all those users are unknown, the title for each group is just one of the members of each group. Once again the über-reporting of /. strikes back.

I'm safe then...

[debiansid]

apparently only users with common passwords, like dictionary words, are affected

I guess I'm safe then... I doubt that anyone has eU5L83Bs as their password.....

Oh wait....

Re:I'm safe then...

[KodeK]

Oh, don't worry, I changed it for you, your new password is: password

3 most commonly used passwords

[LegendOfLink]

"Alright, what are the three most commonly used passwords?"

"Love, secret, and uh, sex. But not in that order, necessarily, right?"

"Yeah but don't forget God. System operators love to use God. It's that whole male ego thing."

Personally, I like to use "Tehl33th4x0rb0y", because it satisfieds the strong password requirement ;)

Re:3 most commonly used passwords

I'm going for a shit.

Slashdot requires you to wait 2 minutes between each successful posting of a comment to allow everyone a fair chance at posting a comment.

It's been 5 minutes since you last successfully posted a comment

Cracko Ho!

[Apreche]

Great, now i have a list of username which can easily be cracked with a dictionary crack.

Re:Cracko Ho!

[Geoffreyerffoeg]

Not necessarily. Suppose each password is on the order of !T%#GG$@42tyf2. The reason the passwords are the same is because the same person owns all those accounts.

Re:Cracko Ho!

Says you. Fact is, you have no way of knowing for sure.

Whew, I'm safe!

[sveskemus]

Good thing my password is *********.

Re:Whew, I'm safe!

You insensitive clod, that's my password!

Re:Whew, I'm safe!

obligatory bash reference http://www.bash.org/?244321

Re:Whew, I'm safe!

[Cro+Magnon]

Ack! I have the same password!

Old News

[jdavidb]

Apparently this is over a year old and is being spun by the article submitter.

"Redundant"?

Why the fuck was this modded down 'redundant'?
If you bother to do the research, you'll see that all this shit started in July of 2004.

That's right...Zonk posted a story almost ELEVEN MONTHS OLD, and calls it 'news'.
and then TMM points it out and is modded 'redundannt'.
nice.

Re:"Redundant"?

Hahaha, stupid cry baby. So what it's redundant, this slashdot not some respectable community.

Re:"Redundant"?

[FidelCatsro]

Its was right to be redundant that was 10 months ago not 1 year (note: not ment ot be taken seriously)

just had to...

[nih]

anyone done a wiki on this?

Still Waiting

[Keystroker]

I'm still waiting on who actually uses Wikipedia as their primary source of information. :rollseyes:

Re:Still Waiting

[interstellar_donkey]

I'm still waiting on who actually uses Wikipedia as their primary source of information

That's alright. You can always start reading Wikipedia articles now to improve your knowledge. Then perhaps go back to school and get a degree.

In a few years you might be able to leave the resturant industry and join others who read Wikipedia at the table.

Re:Still Waiting

[Keystroker]

I didn't mean it in the way you're assuming. Most of the things in Wikipedia are common knowledge.

Re:Still Waiting

[fredrikj]

I'm still waiting on who actually uses Wikipedia as their primary source of information.

According to this page I found, which seems reliable, "Its articles have been cited by the mass media and academia."

retrying to get through the terrible "human" filte

Given that I just create a new username & password on the fly any time I want to write something to wikipedia, because it is so lightweight to create an account (don't need email, and it gives you a link to go back to where you were -- very convenient), I'm not sure how much this affects me :) :)

Good god, this "human" filter is horrible...

No passwords leaked

[fredrikj]

Quote:

All the accounts listed on this page have been created solely for the purpose of trolling, and this page was set up to make it easier to determine whether two troll accounts belong to the same person.

No passwords have been leaked, and the only people affected are trolls.

Re:No passwords leaked

Nope, sorry to bust your bubble... "I did some quick checks, and it appears there are some non-trolls on the list, e.g. User:Perrak.--Eloquence* 19:28, May 31, 2005 (UTC)" (from here)

I use my dog's name as my password.

I use my dog's name as my password.
My dog's name is currently "rV4q-p2", but I change it every 90 days.

Re:I use my dog's name as my password.

[Council]

mod parent "+1 made me spray drink out my nose"

So in other words

For once, we should not attribute to incompetence what can be explained by malice?

You're missing the point

[Geoffreyerffoeg]

1) Those heading titles aren't the passwords themselves, just one member from the group. The original passwords are encrypted and unknown. These are users with the same hash. Nobody knows if they used a password like "my_pass_word" or like "ar49B!4Nc&&". Password strength is irrelevant. Besides, the developers of any site always have access to your password hashes, since someone needs full read access to the databases.

2) A quick glance at those lists shows that they're all duplicate ("sock-puppet") accounts, and they're mostly from trolls. If you haven't watched Wikipedia much, you may not know the illustrious story of the sock-puppets, but even seemingly unrelated names (e.g., Lir and Pizza Puzzle) are widely believed to be the same user.

3) This story is what they call "FUD". If someone finds a valid user's account among these, then tell the user, and say that you found one (you don't have to say who). Until then, since the page appears to be all sock puppets, don't assume that there are innocent civilians caught in the collateral damage. As the page says, "all the accounts listed on this page have been created solely for the purpose of trolling." Only when that claim is disproven does the page become a worry.

-- User:Geoffrey on Wikipedia

Re:You're missing the point

[mattdm]

3) This story is what they call "FUD". If someone finds a valid user's account among these, then tell the user, and say that you found one (you don't have to say who). Until then, since the page appears to be all sock puppets, don't assume that there are innocent civilians caught in the collateral damage. As the page says, "all the accounts listed on this page have been created solely for the purpose of trolling." Only when that claim is disproven does the page become a worry.

Because, y'know, guilty until proven innocent.

Re:You're missing the point

There's been way too much FUD on slashdot lately. :\

Re:You're missing the point

[pomo+monster]

"A quick glance at those lists shows that they're all duplicate ("sock-puppet") accounts, and they're mostly from trolls"

And as I just pointed out here--how can you be so sure? Is it just because they happen to share the same password? Or is it because they've been caught vandalizing before?

And if the latter, then what's the need for this page at all?

The fact is, you can't know that all those accounts belong to sockpuppets and vandals. I'm a contributor to Wikipedia myself, and it's more than a little discouraging that all the other Wikipedia users posting to this discussion are scrambling to make excuses for what is, in reality, a rather serious incident.

Re:You're missing the point

[idontgno]

Those heading titles aren't the passwords themselves, just one member from the group. The original passwords are encrypted and unknown. These are users with the same hash.

Yes, and as such everyone in the same heading now knows the password for everyone else in the same heading. Given the high likelihood that many of the accounts are trolls, that means if innocent Wikipedian "you" happen to share a password with a troll, that troll knows it now. Lucky you.

they're mostly from trolls.

What, only "mostly"? Not a very strong assertion in the face of a potential privacy violation. C'mon, if you're gonna assert that you intend to "out" only the trolls, you need to stick to the story. Admitting that the list is "mostly" trolls is admitting that the list is "partially" innocents. Who have now been screwed.

As the page says, "all the accounts listed on this page have been created solely for the purpose of trolling."

Well, then, obviously there's no story. Silly us. The creator of the page says there's no innocents listed, therefore there are no innocents listed.

In related news, Microsoft Windows is the most secure server OS EVAR!!! MS's Marketing department sed so!

Only when that claim is disproven does the page become a worry.

No, in a sane world, the page is a worry until the counterclaim is positively proven: that there are demonstrably no innocent user IDs on the page.

Until then, I'm gonna watch that page and its automated incarnation (if it occurs) very carefully. I have been a moderately active Wikipedian up until now, but if I'm gonna get carpet-bombed just because I accidentally move in next door to a troll, I'll find someplace else to contribute.

Re:You're missing the point

"...don't assume that there are innocent civilians caught in the collateral damage."

No need to assume:

I did some quick checks, and it appears there are some non-trolls on the list, e.g. User:Perrak.--Eloquence* 19:28, May 31, 2005 (UTC)

http://en.wikipedia.org/wiki/User_talk:Tim_Starlin g/Password_matches

Looks like it's already happened.

Re:You're missing the point

There's been way too much FUD on slashdot lately. :\

Just way to much crap in general. It first started to REALLY go downhill when whomever had to server their own little liberal agenda and put a "politics" section up. From there on it created enemies and allies and since then it's been nothing but attack and counter-attack. FUD is just part of it. Wait until the next wave of slash-vertisements and yet another series of "overrated" mod attacks. Instead of tying down their own loose corners slashdot is way too busy pointing out everyone elses mistakes.

Re:You're missing the point

[chinakow]

What, only "mostly"? Not a very strong assertion in the face of a potential privacy violation. C'mon, if you're gonna assert that you intend to "out" only the trolls, you need to stick to the story. Admitting that the list is "mostly" trolls is admitting that the list is "partially" innocents. Who have now been screwed.

You say that like it is a bad thing. Did you know that to have someone put to death in the USA there can be doubt as to that persons innocence and they will still fry 'em until they are dead. people are put to death be cause there is no reasonable doubt, and seems to work pretty well, although I would personally get rid of that statement in murder trials.

The point is that this is Wikipedia, I do not expect my info to be secure, I add stuff if I like but someone can change what I write without even logging in, so, who cares if I have the same password hash as some troll, I can change the password and apologize later if a troll used my account for trolling purposes, Wikipedia != your bank website.

Re:You're missing the point

[jdavidb]

Until then, I'm gonna watch that page and its automated incarnation (if it occurs) very carefully.

I hope you watch carefully enough to discover that there is no automated incarnation, that the page is a year old, and that the developer involved agreed that there were security issues, apologized, and will not do it again.

After that your watch may get somewhat boring.

Re:You're missing the point

[lethe1001]

and furthermore, even if they are trolls, does that mean that it's OK to violate their privacy?

Re:You're missing the point

[STrinity]

The point is that this is Wikipedia, I do not expect my info to be secure,

That's a bad attitude to take. You might not care whether your account is secure, but you should still expect it to be.

Re:You're missing the point

[idontgno]

I understand that the final decision relative to making this "search for shared passwords" automatic was that it wasn't going to be. At that time.

Things change, including minds. That's why I wrote "if it occurs", not "when". I'm not completely convinced that all administrative players believe that this kind of database mining is actually bad, so I'm going to keep an ear open.

Re:You're missing the point

[chinakow]

Sure I could expect privacy, but that is a good way to set myself up for a disappointment, I like my way better. :-)

Eeeep! Same name?!

Whats freaky is the guys name is Tim Starling.. We have like the same name so when i cliked the link I was like omfg how do they know who I am, but I re-read it and realized the two letters are in different places in the last name -_-

hah...no problem here

[adlaiff6]

My password is always the first 17,000 prime Fibonacci numbers!

Check your facts

[Raul654]

If you had bothered to check your facts, you would see that Tim Starling's list was made last July, well before the privacy policy was written. Also, the impetus for him doing this was to catch one particularly troublesome user who was known to use sockpuppets accounts like this all the time.

Re:Check your facts

[daveschroeder]

1. The fact that the list was made prior is irrelevant, because as soon as any privacy policy containing that excerpt regarding passwords was even marginally in effect, an egregious violation of said policy should be remedied. Are you telling me that every continuing violation of the privacy policy should be allowed to continue, simply because it existed before the privacy policy...?

2. I know exactly what the impetus was, as I stated specifically numerous times in my post. That still doesn't excuse overly broad and public dragnets that will invariably catch some innocent people at the same time.

Re:Check your facts

[Raul654]

"That still doesn't excuse overly broad and public dragnets that will invariably catch some innocent people at the same time."

Would you care to identify a single innnocent person caught up in this? I thought not. I'll let you get back to your baseless inflammatory ranting now.

Re:Check your facts

"I did some quick checks, and it appears there are some non-trolls on the list, e.g. User:Perrak.--Eloquence* 19:28, May 31, 2005 (UTC)"

Re:Check your facts

[daveschroeder]

If you have no problem with Wiki{p,m}edia violating its own privacy policy, regardless of when it was created, and regardless whether the users are trolls/sockpuppets, etc., knock yourself out.

Re:Check your facts

[Raul654]

Please show me where in the privacy policy it says that it was meant to be retroactive. The policy *does* say that: Where the user has been vandalising articles or persistently behaving in a disruptive way, data may be released to assist in the targeting of IP blocks, or to assist in the formulation of a complaint to relevant Internet Service Providers If this policy had existed in July when Tim made this list, things would have been much different. The list would, in all liklihood, have been sent to the arbitration committee (via the arbcom's private mailing list).

Re:Check your facts

[daveschroeder]

The discussion is academic at this point, but most reasonable people would likely agree that ongoing violations of privacy policy should not get "grandfathered in", as it were, when a privacy policy goes into effect or changes. Sure, you can't change the past, but this isn't the past: this is the present, and the page, which itself is the manifestation of the privacy violation, still exists. If anything, it would be a responsible statement on the part of Wikimedia to remove the page, in light of the privacy policy it can be argued to clearly violate.

If your response is that the page is almost a year old, and therefore any privacy concerns for possibly innocent users are almost certainly now moot, wouldn't it also be true that the information on the page is now also so old that it should simply be removed? What is the purpose of the page's continuing existence if it is so old that its very age is used as a defense against possible privacy violations?

Please note that I understand the annoyance and burden of the trolls; that is currently beside the point of this discussion.

Re:Check your facts

[daveschroeder]

Further, from here:

Also, I did some quick checks, and it appears there are some non-trolls on the list, e.g. User:Perrak.--Eloquence* 19:28, May 31, 2005 (UTC)

Given that you've found at least one non-troll on the list, I think the privacy concerns mentioned on Slashdot have been well validated. It's not just theoretical, it's real. I'm just astonished to find out that something like this happened here, and I'm more than a little bothered by the fact that everyone seems to keep apologizing for this dangerous recklessness on our (Wikipedians) part. Typogfk 19:44, 31 May 2005 (UTC)

Re:Check your facts

That still doesn't excuse overly broad and public dragnets that will invariably catch some innocent people at the same time

This is nothing more than your opinion. You have a right to your opinion. My opinion, however, is that Wikipedia has a lot of checks and balances to minimize admin abuse; it is the best balance I have seen between letting trolls take over the place (what we see on Slashdoe on Kuro5hin) and letting admins be abusive (What I see over at christianforums.com).

Wikipedia is the best balance I have seen between having an open environment that still leaves out the kinds of people who ruin it for everyone else.

You think Wiki has gone too far in trying to get rid of trolls? You have a right to think that. Just as I have a right to think differently.

Re:Check your facts

[Le+Marteau]

I have seen between letting trolls take over the place (what we see on Slashdoe)

They have NOT "taken over the place". If you read at -1, it would seem that they have, but that's your choice. If you read at a reasonable score level, the trolls will not seem to have "taken over the place".

Re:Check your facts

[starwed]

They have NOT "taken over the place". If you read at -1, it would seem that they have, but that's your choice. If you read at a reasonable score level, the trolls will not seem to have "taken over the place". That only applise to comments. Sadly, since articles are not rated, quite a few trolls will still get through. ^_^

Re:Check your facts

Also, the impetus for him doing this was to catch one particularly troublesome user who was known to use sockpuppets accounts like this all the time.

In case anyone is wondering, here is the definition of a "sockpuppet" (as used at Wikipedia).

Strong!

[fm6]

...apparently only users with common passwords, like dictionary words, are affected...

Well duh! A strong password is something like "vtu1vjkn" (which I just generated using RoboForm). Hard to imagine that getting duplicated by accident.

Re:Strong!

[jschottm]

A strong password is something like "vtu1vjkn"

A strong password would involve capital and lower case letters, numbers, and characters. That password would take (36^8)/2 attempts on average to bruteforce. That's a small number to today's high-end computers.

Re:Strong!

[fm6]

Strong is relative. Arnold is stronger than I am, but not as strong as Superman. Your rote suggestion that I use a "full" character set only doubles the entropy of my password. If you want to follow that argument to its logical conclusion, you should insist that a password isn't "strong" unless it cantains non-Latin characters (Hebrew, Cyrillic, Kanji, Hangul...) which would increase the entropy by several orders of magnitude. But that would make the password very difficult to enter, so of course everybody limits themselves to characters they're familiar with. I choose a further tradeoff that cuts my entropy in half but still makes my passwords stronger than any tool anybody's likely to bring to bear.

Security is always about tradeoffs. If you're that paranoid about password protected access, you shouldn't use it at all.

Re:Strong!

[jschottm]

Your rote suggestion that I use a "full" character set only doubles the entropy of my password.

Rote? Knowing industry best-practices is rote these days?

Check your math. The complexity grows exponentially. Your statement suggested that randomness makes a secure password, which is not true. A secure password requires a combination of length and (at least pseudo-)randomness or extreme length.

A randomly generated 8 character password from the character set {ab} has 256 possibilities. Increasing the set to {abc} increases it to 6561, and {abcd} to 65536. That's far beyond doubling.

The difference in the average time to force an 8 characted {a-z0-9} set like you suggested (which can be brute forced in about a day (at most) on a standard desktop computer) and an 8 character 95 character set is *4703. That means that a standard computer could brute force it (on average) in a dozen years or so. Which for most people's standards is a big enough number.

(Note that "good enough" doesn't apply to people who aren't bright enough to properly salt their hashes, leading the possibility of just generating rainbow tables.)

Non-Latin characters would increase the strength, but at the cost of backwards compatability and usability on systems that didn't support them. A properly designed hash system can accomidate an inifintely long password, meaning that in practical terms you can just add a few characters when you need additional strength. My main online banking password is a 13 character pseudo-random string (it's derived from something, but only in a way that makes sense to me) that draws from the extended character set. It's prolly more memorable to me than your 8 character random one yet provides much, much stronger protection.

If you're that paranoid about password protected access, you shouldn't use it at all.

Most things don't offer a practical alternative. I use practical but relatively strong passwords, whereas you made the statement that a simple random password was secure. Simply adding a mix of capital letters to yours would increase the time to brute force by over *72, while not being much less memorable than the original.

Re:Strong!

[fm6]

Rote? Knowing industry best-practices is rote these days?

If saying "best practices" is just an excuse for not thinking for yourself, damn right it's rote. I'm protecting a stupid Wikipedia account, not a 7-figure bank account. The amount of effort you go to to protect something be proportional to the thing you're protect. Picking a mean level of security and applying it when it's both too strong and too weak is stupid.

Re:Mod Article Down

[BACbKA]

It is a case where a Wikipedia troll has succeeded in using Slashdot as his tribune. Pity the /., editor, he'll be flamed now...

This whole story is flamebait

[Raul654]

First, this was not a technical flaw - this was one developer intentionally looking for identical password hashes. Second, this is not news - the page in question was created last July as a one time thing to flush out trolls.

Why would we publish a list of account with identical passwords? Because certain trolls are known to register multiple accounts with the same password, and use them to troll, vote stuff, and all sorts of other unpleasant activities. Of course, many times, it is not hard to guess who those accounts belong to based on editing habits, but of course the trolls in question will deny it. But being matched by password was a one-time way to shoot through all their lies. This whole story is old, and the summery is horrible biased.

Re:This whole story is flamebait

First, this was not a technical flaw - this was one developer intentionally looking for identical password hashes.

Except that is a technical flaw. I can't find the paper right now, but the reason for using salt in password hashes was published over 30 years ago. This kind of problem doesn't happen on a decent password system.

Re:This whole story is flamebait

I can't find the paper right now, but the reason for using salt in password hashes was published over 30 years ago.

Can't find it either. Google has failed me.

Re:This whole story is flamebait

[ArtStone]

It seems that by publicly disclosing these trolls, Wikipedia did several bad things:

1) As others have pointed out, the disclosure acknowledged an unfixed defect in the management of the passwords (no seed)

2) It disclosed a defensive method that was useful in detecting and shutting down probable sockpuppet accounts. The net effect is that it trained the trolls how to create better sock puppet accounts...

3) it revealed that a software developer had unfettered access to the entire user database, including the password hashes.

It appears that Wikipedia took this thread to heart as they have pulled the list, and explained that they are now salting the hashes, and the CTO didn't know it was still online.

But even if the page is pulled (as slashdot points out daily), once something has been seen one time on the internet, you can never safely assume that copies don't exist somewhere else.

still... there's a better way to store passwords

[Lobachevsky]

Even though this isn't a "big deal" - that is, no passwords are leaked per se, and accounts with similar passwords as the parent rightly noted are most likely indicative of a single user with multiple accounts, there is a better way to store passwords. Given H(P1) and H(P2), it's trivial to prove that (probably)P1==P2 or (certainly)P1!=P2, which is leaking information. Thus, storing H(P1) and H(P2) is a poor way to preserve secrecy of P1 and P2. A just-as-easy approach would be to salt the hash: store H(username1||\0||P1) and H(username2||\0||P2) -- where || is the string-concatenation operator. Assuming no two usernames are the same, and \0 is an invalid character for both username and password, then nothing is leaked about P1 and P2. (Note, \0 is essential because if username1 is "tomharrison" with password1 = "city" and username2 is "tom" with password2 = "harrisoncity", then we leak information that user2 has user1's password prepended with "harrison" unless we have \0 dividing user and password strings) I would actually prefer true salting: H(random1||P1) and H(random2||P2) where random1 & random2 are random (& mathematically non-secret but you shouldn't feel inclined to publicize them) constants stored alongside the username. This avoids the ugly hack of relying on \0 being special. Unfortunately, this relies on change of datastructure instead of a change in the hash function and hence isn't "just-as-easy".

accusing the author of trolling to distract us

[SuperBanana]

this is Tim Starling deciding to specifically and literally publish a list of usernames that share the same password, ostensibly for the purpose of revealing trolls and flooders with multiple accounts.

No, it's a developer using an "ends justifies the means" argument to catch sock puppet accounts created by people too stupid to assign them unique passwords.

Unfortunately, he didn't think "gee, this might catch some legitimate users off guard", and as a side effect, we see that Wikipedia developers didn't use salts for the passwords, which indicates just how lax they are about security (which is part of the article's point).

What you seem to be doing is diverting our attention away from the legitimacy of the claims (insecure Wikipedia code, lack of common sense, etc) by simply saying "the author of the story is a troll!"

it would appear that some of these are indeed obvious duplicate accounts

Then why didn't the developer simply remove them? If they're troll accounts, the people won't complain, most likely. If they do, say "oops, sorry, we had a little hiccup" (the swamp gas refracted polarized moon light off the stramospheric sub-layer). Problem solved. If submitted edits are tied to accounts, move the edits into a "holding area" for a month where they're not visible to the public (ie, back them up).

This seems like basic sysadmin 101, sorry.

Re:accusing the author of trolling to distract us

[swv3752]

Trolls deserve nothing. If you were so stupid as to use a common word for a password and couldn't even be bothered to do something like change it to "pass45word" then you deserve whatever happens.

Re:accusing the author of trolling to distract us

[STrinity]

Trolls deserve nothing.

Frankly, I don't care if they rape nuns, kill puppies for sport, and eat kittens for breakfast. You should not compromise security, even this trivially, for any reason.

If you were so stupid as to use a common word for a password and couldn't even be bothered to do something like change it to "pass45word" then you deserve whatever happens.

It's Wikipedia, not Amazon or PayPal. Most people don't care enough to use a strong password.

Re:accusing the author of trolling to distract us

Chill, and take a second to do a google search: http://www.google.com/search?&q=site%3Amail.wikipe dia.org%20salt%20password&sourceid=firefox

Re:accusing the author of trolling to distract us

[SA+Stevens]

It's Wikipedia, not Amazon or PayPal. Most people don't care enough to use a strong password.

But you are so wrong. People who have 'bought into' the Wiki thing are very heavily invested in their 'identity' on the site. Similar to how people cling to their on-line identities on many other venues.

Re:accusing the author of trolling to distract us

[TheLittleJetson]

It's Wikipedia, not Amazon or PayPal. Most people don't care enough to use a strong password.

You bring up a good point. If only there was some central authentication system for the whole internet. We'd have to put it behind an organization we could really trust, though, like Microsoft.

Re:accusing the author of trolling to distract us

[Fearghaill]

Well done - I honestly had a hard time deciding whether I thought you were being sarcastic.

YHBT HAND

[timstarling]

A few other people have said it, but you may as well hear it from the source.

That was the only time I published such lists. They were constructed by searching the database for password matches with the few most active trolls on Wikipedia at the time. People complained about the possibility that innocent users with weak passwords might have been affected. I conceded the point, apologised, and promised not to do it again. The issue was played up at the time by the trolls who were exposed -- not surprisingly, I wasn't winning any friends in that camp. Those same trolls still whinge about the existence of the page today.

At the time, some people wanted the page deleted to protect any innocent people who might have been listed. The majority wanted the page kept as evidence against the trolls. I had no opinion either way, and so let the page remain in accordance with community wishes.

Nobody has ever identified a non-troll account on that page. No innocent person has complained to me that they were affected. None of the accounts (aside from the known troll accounts) had any identifying information associated with them.

Re:YHBT HAND

"I did some quick checks, and it appears there are some non-trolls on the list, e.g. User:Perrak.--Eloquence* 19:28, May 31, 2005 (UTC)"

Re:YHBT HAND

[VGPowerlord]

Unfortunately, this begs the question Why doesn't MediaWiki use salted hashes to store passwords?

I've noticed that most projects done in PHP don't utilize crypted MD5, even though crypt on most OSes support it.

It's really easy to programmatically check to see if the OS crypt supports MD5. Simply pass an 8 character salt to crypt as its first argument, then check the first three characters of the output. If they're $1$, your OS's crypt library supports crypted MD5. This will work in any programming language whose crypt command sends data to the system's crypt command: C/C++, Perl, and PHP to name a few.

Re:YHBT HAND

[brion]

While there may not be any innocents on that page, it skirts our privacy policy to publish that kind of info either way.

I had thought this page got deleted within hours of being originally posted (votes for deletion process blah blah), and had I been told that it had *not* been I'd have deleted it immediately. I've gone ahead and removed it now.

Re:YHBT HAND

[peachpuff]

"At the time, some people wanted the page deleted to protect any innocent people who might have been listed. The majority wanted the page kept as evidence against the trolls. I had no opinion either way, and so let the page remain in accordance with community wishes."

Don't hide behind "community wishes." Did you ask the community before you published the list? Taking the page down again isn't the same as never putting it up, and I'm sure Wikipedia contributers know that. Even if the majority wanted the information out there, there's a reason they have to go through you to get it--you can't pretend that you have no responsibility.

"Nobody has ever identified a non-troll account on that page. No innocent person has complained to me that they were affected."

How could they? The problem is that you gave their password to a troll. Even if they started a new account or managed to change their password before the troll got to it, why would they come to you? What would they gain by going to Mr. Troll-hunter, confessing that they had a weak password and trying to convince him that they are not a troll after all. Maybe you should shoot some people in the face--I bet none of them will complain to you afterwards either.

What I'd like to know is, did the possibility of innocent victims occur to you before you published the list? In other words, did you not think about the possibility, or did you take it on yourself to disregard it?

Re:YHBT HAND

Nobody has ever identified a non-troll account on that page.

My username isn't there, but if it had been, I wouldn't ever known about until today. So my question is:

Did you make any effort to contact the listed users prior to publishing the list? After publishing the list? Why haven't you listed the steps you took to identify and remove the innocents on the page? As it is, it looks like some administrator gone wild breaching the users' privacy.

Jeez, people!

[Yekrats]

The page of troll names has been around July of last year, and according to the author, is a careful collection of verified troll usernames. The passwords are NOT leaked. The user has simply created a page to collect verified troll accounts (using password hash matches, among other tools). Odds are that the person submitting this to Slashdot and K5 was one of the trolls, themselves. Ha, and Slashdot fell for it! Major troll victory.

Repeat, the passwords were not leaked... But, if my Wikipedia password is leaked, so what? Some loser-hacker can change my preferences so that math code looks funny? Whoop-ee-freakin'-doo. If my Wikipedia account gets deleted, I'll just make another. Is there anything inherently valuable in a Wikipedia account?

This is being blown out of proportion in typical Slashdot fashion.

Re:Jeez, people!

It could be a problem if you use the same name/password/email across more than one site.

Obligatory bash.org

[nganju]

Cthon98> hey, if you type in your pw, it will show as stars
Cthon98> ********* see!
AzureDiamond> hunter2
AzureDiamond> doesnt look like stars to me
Cthon98> *******
Cthon98> thats what I see
AzureDiamond> oh, really?
Cthon98> Absolutely
AzureDiamond> you can go hunter2 my hunter2-ing hunter2
AzureDiamond> haha, does that look funny to you?
Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
AzureDiamond> thats neat, I didnt know IRC did that
Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
AzureDiamond> awesome!
AzureDiamond> wait, how do you know my pw?
Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
AzureDiamond> oh, ok.

Wikipedia knows

here

Tempest in a teapot

[Eloquence]

The gist of the story, which refers to an event from July 2004 (many of the users in question have since left), is correct: there may be legitimate accounts on this list of 109 account names. However, about 90% of them are from identified and well-known trolls and problem users. It's important to know that it's relatively easy for us to block a user, but it's also relatively easy for that user to come back under a new name, especially if they use dynamic IP addresses. Many trolls also like to impersonate others (many of the listed accounts are obvious impersonations of famous Wikipedians).

Unfortunately, Tim at the time didn't run a password checker against the hashes, which could have thrown weak passwords out of the list and thereby prevented legitimate accounts from being included with reasonable effectiveness.

The submitter clearly has an axe to grind (and may well be identical to the comment poster). No similar lookup has taken place since July 2004, so this story is a tempest in a teapot.

I would agree with the criticism in one regard: The decision not to delete the page was mistaken. One problem was that the deletion request came from a troll, which made a lot of people vote to keep the page "by default." The other problem is that the technical arguments to delete the page came in too late to make a difference.

In any case, as noted, this was months ago, has not been repeated since then, and any non-troll among the listed accounts can simply change their password. We're not talking about credit card data here, anyway -- creating a Wikipedia account takes 20 seconds and doesn't even require a valid email address. All that it contains are a bunch of user preferences.

Re:Tempest in a teapot

[OwenMarshall]

"We're not talking about credit card data here, anyway -- creating a Wikipedia account takes 20 seconds and doesn't even require a valid email address. All that it contains are a bunch of user preferences."

I have to agree with you until you use an obvious straw man.

Your argument is "the security doesn't matter because it protects something unimportant. Therefore, why should we care if security for something unimportant is breached?"

The security, however, is very important. That same password could be conceivably be used to protect a users credit card data.

One would hope, of course, that users use one password for Wikipedia, and one for banking, but we can't be so sure of that.

Re:Tempest in a teapot

[Eloquence]

Keep in mind that we're talking about multiple accounts matching the same password -- it is highly unlikely that this would happen if the passwords aren't very simple to begin with. If a user uses such an insecure password in an important context, that password is susceptible to dictionary attacks, which are a much more widespread problem than a random troll by chance finding out that some user on Wikipedia has their password and trying it in a large number of contexts. Any security-relevant website should also perform checks on its users' passwords.

All this doesn't mean that Wikimedia shouldn't care for its users' password security, of course, but you shouldn't expect enterprise-grade security from every website you sign up to. Given that Wikimedia employs a single part-time systems administrator, I think it's completely possible that we will see a major password compromise at some point in the future.

You may want to read the Wikipedia article "straw man", by the way. :-).

Re:Tempest in a teapot

[fuck+nwbvt]

109 account names. However, about 90% of them are from
identified and well-known trolls

So Wikipedia exposed ~11 passwords, along with their usernames.
Which, given that their owners weren't security conscious enough
to pick non-dictionary passwords, they probably use on other sites
too. Verbatim. And you don't see any problem with this.

Remind me why anyone should trust you with their passwords?

Re:Tempest in a teapot

[anthony_dipierro]

Unfortunately, Tim at the time didn't run a password checker against the hashes, which could have thrown weak passwords out of the list and thereby prevented legitimate accounts from being included with reasonable effectiveness.

That's a horrible solution. What's unfortunate is that Tim had access to the hashed passwords in the first place. Sure, by any trivial implementation *someone* has to have access to it, but that should be a person who can be trusted never to actually use that access.

No similar lookup has taken place since July 2004, so this story is a tempest in a teapot.

How can you be so sure of this? Are you the only one who has access to the passwords? From what Brion said, the hash mechanism hasn't changed at all. Sure, no similar lookup has been published since July, but that doesn't mean that it hasn't happened.

Sure, you should always assume that all administrators of any particular system have full access to your cleartext password, but it's still quite a shock when you find out that an admin is actually using that access.

Re:Tempest in a teapot

[OwenMarshall]

What, I said your argument was old clothing stuffed with straws? ;-)

Having no formal logic education, I largely based my assertion that your original argument was a straw man on my interpretation of... you guessed it, that same Wikipedia article!

Hm, go figure, using a Wikipedia article to try and refute what a (I am assuming) Wikipedian is saying.

avoiding this exploit

[merlin_jim]

is easy; salt your hashes.

For each user, generate a string of bits that is at least your cipher block length (160 bits for SHA1, IIRC)... save that string (cleartext) to the user profile. Then when you hash the password, add the "salt" to the end.

password + salt will always hash to the same value. And no two users with the same password will have the same hash. Problem solved.

Re:avoiding this exploit

You can just as easily use the user name as the "salt" and get the same effect without the need of extra information stored for each user.

Re:avoiding this exploit

[Ambush+Commander]

RTFA, especially the talk page when it comes to Wikipedia. Brion Vibber has already commented on the salting.

Re:avoiding this exploit

[merlin_jim]

You can just as easily use the user name as the "salt" and get the same effect without the need of extra information stored for each user.

Depends on the particular hash algorithm you're using; Microsoft recommends that the salt size and the hash bit-length be the same for maximum obfuscation.

In addition, having the salt hidden adds a tiny bit of extra security in that it is much harder to just start running strings through the hash algorithm in a brute force attack.

But then again, in theory a brute force attack is supposed to take longer than the data has value anyways so if you've done your homework then bad people can mine your salt table all day and get no useful information (in theory)

Didn't you learn in school ...

that all passwords should be "different".

If you're a vandal on wikipedia...

[ArsenneLupin]

... you should use a a really common password. That way, if your cover is blown, you'll have at least the consolation that you'll find a nice phull bucket of phish on Tim Starling's page!

Mod Up!

[0kComputer]

Way to stick to your guns dude. You have to be pragmatic in situations like these, and I think you did the right thing. This whole article should be modded -1 flamebait.

Two lessons here:

[callipygian-showsyst]

1. You should never have a password appear in a publically readable "hash" or URL parameter, even if it's one-way encrypted

2. You should NEVER use a password for a site that's the same as an important password

I tend to have three tiers of password:

1. "junk" passwords for non-critical sites (like /. or nytimes registration) that don't really matter

2. secure passwords for web-based email, etc, that I wouldn't want getting out

3. High-security passwords for banking, etc (these are different for each site, and I write them down and keep the list in my safe.)

Re:Two lessons here:

[Sjobeck]

touche'.

I do the same thing with passwords (ie: 3 classes) ever since I saw one of my supposedly more secure passwords show up in an email one time, I realized that no site can be trusted with keeping it secure/private.

I would add to that list that they must be changed from time to time, for dog's sake, at least yearly, how hard is that.

Salt

[Saeed+al-Sahaf]

Forget the LONG-WINDED tales of "salt". It's like this: You cook up something good, and to tweek it just the right about, you add a pinch of SALT. Think about it.

Re:still... there's a better way to store password

[OblongPlatypus]

What is so wrong about relying on \0 being special? In fact, when working in languages that for some reason or other don't like working with null bytes (I'm looking at you, PHP), I've replaced \0 with qnblwfoqiwbegasfoi, which technically would be a legal part of a password, but is statistically assured never to be chosen by anyone.

(Purists always hate it when I say something like this. Oh well.)

An Outrage!

That worthless Microsoft..., wait I mean switch to Lin..., I mean stupid DMCA lawyer...oh nevermind, someone that we all like is at fault, we'll ignore it.

Mod post above upward

haheee !
It gave me a good laugh :D :D :D

Wow!

[nagora]

Single least important security breach EVER!

Imagine: there's some chance that someone could use this to reduce the reliability of data on Wikipedia! The horror, the horror...

TWW

That's an astounding premise for password managers

[NRAdude]

If a website registry restricts accounts based on a chosen password being duplicate to an existing user's password, it's almost as though that password is verily being utilized as secret private-side username. Why wouldn't a password be unique as though a name or IP address of a recursive subnetwork? This is the founding premise for biometric identification as a password; looking for a unique trait to be used as authentication rather than the graceful suggestion of the account holder.

Turning the worm: That unlawful administrator is no different than a terrorist and needs to be accused for violating the good faith of participants in the act of unjustifiedly revealing any authoritative statistic of WikiPedia participants' entrusted secrets. All the information entrusted to WikiPedia is copyright limited by the respective owners; any agreement implied or coerced that suggests contrary to the charter of a service wholesomly notwithstanding. Do you suppose WikiPedia is among those websites that presses agreements that amount nothing more than an indemnification of the corporation as though a sovereign? eBay, Yahoo, Microsoft, United States, and whatnot all behave similar agreements of such. It seems these creatures of a state can only live when people breathe life into them. WikiPedia would surely rot if everyone retracts their copyright information, so would other corporations for that matter.

Boneheaded Wiki Admins :(

I seriously doubt they've stored them as anything other than plain text if they're able to match up passwords.

Of course, if they're hashing the passwords without a salt, hashing them is likely quite useless, as anyone who can get ahold of the password hashes will have a significantly easier time than they should.

But in all honesty, I *really* think this means they're storing the passwords as plaintext, which is a REALLY BAD IDEA.

I'd change my Wikipedia password if I had one, and change the password to any other accounts I had which share that password (hopefully none--you guys do know better than to reuse passwords to important things on unimportant sites like Wikis, right?)

But yeah, while I understand their reasoning, it would appear to point to bad security practices which could be dangerous. With that many users, enough of them are probably dumb enough to reuse the passwords, making Wikipedia a nice, juicy target for the malevolent :(

Anyone storing passwords in plaintext in this day & age, or hashing them without a salt deserves a knock upside the head. It's just not right :(

Re:Boneheaded Wiki Admins :(

[Jeffrey+Baker]

Nearly every store on the web keeps your credit card number on file in plain text. Most people just assume their local database is private, which is obviously incorrect.

Re:Boneheaded Wiki Admins :(

> Nearly every store on the web keeps your credit card number on file in plain text.

If you can name one, let Visa know. They'll yank their merchant account right quick, as it's a clear violation of security policy.

Still, it has to be reversible encryption for any "remember my card" to work (unless they set up a payment account), and the key has to be provided automatically, so said encryption may as well be rot13.

Re:Boneheaded Wiki Admins :(

[anthony_dipierro]

Of course, if they're hashing the passwords without a salt, hashing them is likely quite useless, as anyone who can get ahold of the password hashes will have a significantly easier time than they should.

Hashing in this type of situation protects you from inadvertantly seeing someone's password, that's about it. It doesn't protect you from someone doing something actively evil, like Tim Starling did. Even if you have a salt, it doesn't really matter because somewhere you have to store the salt. Sure, using a salt will slow down a dictionary attack, so you can't crack multiple passwords at once, but it doesn't slow down the time it takes to crack one password.

And of course, anyone who has access to the machines, like Tim Starling does, could easily obtain the clear text password anyway, by simple sniffing the traffic or otherwise capturing the password before it gets hashed in the first place.

Anyone storing passwords in plaintext in this day & age, or hashing them without a salt deserves a knock upside the head. It's just not right :(

I suppose, but any time you type a password into a system you should assume the system operators have access to that cleartext password. The only way to completely avoid this would be some sort of client-side javascript hashing or the use of public/private keys.

Re:Boneheaded Wiki Admins :(

I take it you've never used the numrange operator they used to have? Quite a few... interesting... files were uncovered with it...

Eh?

You can't seriously believe they're hashing the passwords with that setup, can you?

Granted, they could be hashing them with a constant or no salt at all, but I don't seriously believe they have them any better protected than plain text.

Oh come on! Spend some time on your submission...

Least. Important. Security. Breach. EVER!

Ok, so let me get this straight

[Raul654]

If you retroactively apply the privacy policy (which makes no mention of being retroactive), AND you ignore the fact that this user left before the policy was even formulated, then one user (out of 109) might have had his privacy violated by telling everybody his hash matched another user's. And this merits a slashdot front-page story?

Re:Ok, so let me get this straight

[daveschroeder]

Again, I don't think that a privacy policy needs to specifically state anything about being retroactive in order to apply to potentially ongoing violations the policy in its current form, even if you argue that it's old information, that it happened before the privacy policy, etc.

Front page slashdot story? No, definitely not. ;-)

Re:Ok, so let me get this straight

[jdavidb]

Given that the page will not be updated and there are no active users on it whose privacy has been compromised, why do you persist in branding this an ongoing activity?

Re:Ok, so let me get this straight

[jdavidb]

And this merits a slashdot front-page story?

Not to mention a couple of hundred comments from trolls saying, "See? I told you Wikipedia would never work! They need to make a lot of changes if they want to be considered professional. I'm so snooty I could never contribute to a project like this!

It's a slashdot tradition, now.

Re:Ok, so let me get this straight

[pomo+monster]

Because the usernames are still on the list, still public, and still available for anyone else on the list to take advantage of. Whether or not they're still active Wikipedia contributors is irrelevant to their right not to have their passwords exposed in such a fashion.

Re:Ok, so let me get this straight

[fuck+nwbvt]

Actually, this guy (Perrak) seems to be active, his last contributions were just last month. Someone should let him know that a troll knows his password (assuming he uses the same password on de.* and en.*).

That post...

[game+kid]

...just got wikified and PWN3D!!1

I edited a few Wikipedia articles and made one, but (from reading the story) I'm very glad that I did so anonymously. Now if someone leaks my Slashdot password, they are just asking for a beating...or something like that.

I'm too lazy...

[th3space]

"This is probably a good occasion to remember to use strong passwords (apparently only users with common passwords, like dictionary words, are affected)." to look it up - it was only just last week - but someone here suggested using physical location based passwords...it seemed a pretty good suggestion to me, and I've gone ahead and modified all of my passwords to reflect where I most often log in to things from.

Theres a slight problem with this, though...I can't remember what the girl I was staring at while doing all of this at a nearby coffee shop was wearing, and now I can't log into anything but slashdot!

Re:still... there's a better way to store password

[fbjon]

It's true that this gives better security, but is that small extra boost worth it? I'd say it's more in the interest of wikipedia to be able to find hordes of puppet-accounts, than to give a meager security boost, at least for now.

Also, from the queue on K5, this article might just be the death squirms of the nailed troll(s) anyway.

Its not a leak, its a feature

[jbplou]

Its an encyclopedia so they need to have referenece on usernames and passwords.

In Wikipedia we trust

[foolip]

Those who, like me, don't quite know what a salt is in hashing, can consult wikipedia.

The article is a stub, so it could use some improvement I guess.

Re:Shame on you for being a complete MORON

> Perrak does not count as he is not an active user

WTF? Don't you realize that a lot of people use their password
on more than one site at a time? What a stupid motherfucker
you are.

Salted hashes

[brion]

The default behavior in MediaWiki is to use salted hashes.

On Wikipedia we've inherited older behavior (along with the older database) to use non-salted hashes as a stopgap until a mass user account migration is done to provide some single sign-on capability between our wikis; the salt would make it impossible to migrate without getting everyone to reset their passwords manually.

Depending on how we do it we may end up doing that anyway though.

Re:Salted hashes

[VGPowerlord]

The default behavior in MediaWiki is to use salted hashes.

I installed MediaWiki 2 minutes ago creating a new database user and account as I went.

System:

Debian Linux - sid
Apache 1.3.33
PHP 4.3.10
/etc/shadow uses crypted MD5

PHP Constants:

CRYPT_SALT_LENGTH 12
CRYPT_STD_DES 1
CRYPT_EXT_DES 0
CRYPT_MD5 1
CRYPT_BLOWFISH 0

In a PHP script, using $1$12345678$ as the salt, "something" is crypted as $1$12345678$xu3jxEIwJ9shBYfldViSF0.

In my brand new MediaWiki 1.4.4 setup, the password "something" is inserted into the database as 812289532fadbec6239d25743103018d

I suggest you do a code audit, because that password is clearly a non-crypted MD5, even though PHP's constants and the output from crypt show support for it.

Re:Salted hashes

[Reziac]

Since you're here... whycome *most* of the time when I try to access a wikipedia article, I get only PART of the page, and "transfer interrupted"?? Clear cache, try again, same thing. Only solution seems to be "come back another day". (Which never happens, because by then I've forgotten about whatever I was looking for.) I'm on 26k dialup, so it's not like I'm personally overloading the server :)

I haven't seen that exact behaviuor anywhere else except on NT4 servers running IIS v3 or older.

Re:Salted hashes

[brion]

You seem to be mistaken about what I said; please go back and read it again. We do not use crypt(), and I never claimed we did. We do use salted md5 hashes.

If you don't feel like looking up the code, the format used is iirc MD5(CONCAT(user_id,'-',MD5(plaintext))). This particular method was chosen to allow an upgrade from the old MD5(plaintext) hashes and to not require external dependencies.

Re:Salted hashes

[brion]

Since our current plans for a future single sign-on system shouldn't actually be affected by it, I went ahead and turned on salted password hashes on all Wikimedia wikis during tonight's database maintenance.

What's the worse that could happen?

Some of your faulty entries could be replaced by other faulty entries written by somebody else.

Wow

[fuck+nwbvt]

Good gracious. You admitted you fucked up, but then proceeded to do nothing about it -- not even notify the people who might have been affected?

If you worked for me as a developer, much less a database admin, I'd fire you on the spot. You better hope your boss doesn't find out about this.

Email should be the highest security

[anthony_dipierro]

You should never have a password appear in a publically readable "hash" or URL parameter, even if it's one-way encrypted

This hash wasn't exactly "publically readable". It was readable by anyone with developer access.

High-security passwords for banking, etc (these are different for each site, and I write them down and keep the list in my safe.)

For most banking sites, anyone with access to your email can change your password to your banking site. So in my opinion the password to your email account is the one which needs to be the most secure.

Personally I use a hash of the site's domain name concated with my "master password". This has the disadvantage that it allows someone who can guess my hash scheme and has my hashed password to run an offline brute force attack on my master password, but has the advantage of not having to ever write anything down (and thus not risking forgetting or losing anything as long as I remember the master password). I actually use two different passwords for my master password - one for banks and shit like that and one for sites with clown admins like Slashdot and Wikipedia. Anyway, I certainly wouldn't trust my life to this scheme or anything, but it's good enough for stuff like online banking - if someone actually compromised my online banking password they'd probably get caught if they tried to actually use that password to steal anything.

Re:Email should be the highest security

[callipygian-showsyst]

This hash wasn't exactly "publically readable". It was readable by anyone with developer access.

Isn't it "publically readable" to anyone with access to the log files on an external link? The hash is in the referring URL, right?

Re:Email should be the highest security

[anthony_dipierro]

No, the hash isn't in the URL. Why would it be there?

Transfer interrupted

[brion]

I haven't seen that particular error... Might be an intermediate cache run by your ISP, or if you have a local proxy (ad blockers, etc) it might be timing out related to the slow connection and our overloaded servers at peak hours.

Re:Transfer interrupted

[Reziac]

No proxy, but timing-out/overworked server sounds like the most likely culprit. It IS somewhat more likely to happen when mentioned via slashdot (that ultimate load testing app :)

Re:still... there's a better way to store password

[SA+Stevens]

Also, from the queue on K5, this article might just be the death squirms of the nailed troll(s) anyway.

Oh yes, indeed. Because anybody who makes a concerted habit of trolling Wikipedia is gonna consistenly use the same password on all their accounts.

Right.

if nothing else, we've learned...

that wiki can also be translated to mean "hyperdefensive"

Re:still... there's a better way to store password

[some+guy+I+know]

I've replaced \0 with qnblwfoqiwbegasfoi, which technically would be a legal part of a password, but is statistically assured never to be chosen by anyone.

My god, that's the combination of my luggage!

Hole has been closed

[This+Is+Ridiculous]

To the extent it actually existed in the first place, this hole has now been closed. Wikipedia turned on password salting tonight while performing other routine maintenance (namely, adding a few indexes to increase performance).

New signup procedure

[Jakeypants]

Please choose your desired username: Neo
Username Neo is already in use.
Please choose your desired username: N30
Please choose your password: mypassword
Password mypassword is already in use by user ThePlayaHater.
Please choose your password: ...

Unrelated, but funny from a retarded security standpoint: I work as a developer/tester for a small company. The developers all test eachothers' code because we don't have the budget for testers. Anyhow, testing an application that one of my coworkers wrote, see if you can guess how I hacked it just by looking at this url: http://www.somesite.xxx/creditcardnumbers/edit.php ?admin=false. I've also heard stories about addtocart.aspx?id=324&price=499.99