Wikipedia Leaks Some Users' Passwords

JJ Budion writes "If you've signed up for an account on Wikipedia.org, you may want to check this page to make sure you're not on there. It seems certain users with identical password hashes can find other user names with the same password, and Wikipedia (despite being alerted) has done nothing about the problem for the last year. A good (although slightly inflammatory) description of the problem can be found here. This is probably a good occasion to remember to use strong passwords (apparently only users with common passwords, like dictionary words, are affected)."

accusing the author of trolling to distract us

[SuperBanana]

this is Tim Starling deciding to specifically and literally publish a list of usernames that share the same password, ostensibly for the purpose of revealing trolls and flooders with multiple accounts.

No, it's a developer using an "ends justifies the means" argument to catch sock puppet accounts created by people too stupid to assign them unique passwords.

Unfortunately, he didn't think "gee, this might catch some legitimate users off guard", and as a side effect, we see that Wikipedia developers didn't use salts for the passwords, which indicates just how lax they are about security (which is part of the article's point).

What you seem to be doing is diverting our attention away from the legitimacy of the claims (insecure Wikipedia code, lack of common sense, etc) by simply saying "the author of the story is a troll!"

it would appear that some of these are indeed obvious duplicate accounts

Then why didn't the developer simply remove them? If they're troll accounts, the people won't complain, most likely. If they do, say "oops, sorry, we had a little hiccup" (the swamp gas refracted polarized moon light off the stramospheric sub-layer). Problem solved. If submitted edits are tied to accounts, move the edits into a "holding area" for a month where they're not visible to the public (ie, back them up).

This seems like basic sysadmin 101, sorry.