Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wikipedia Leaks Some Users' Passwords

Posted by Zonk on from the not-a-good-trend dept.

JJ Budion writes "If you've signed up for an account on Wikipedia.org, you may want to check this page to make sure you're not on there. It seems certain users with identical password hashes can find other user names with the same password, and Wikipedia (despite being alerted) has done nothing about the problem for the last year. A good (although slightly inflammatory) description of the problem can be found here. This is probably a good occasion to remember to use strong passwords (apparently only users with common passwords, like dictionary words, are affected)."

10 of 238 comments (clear)

  1. "News"? by TripMaster+Monkey · · Score: 4, Informative


    Um...didn't this happen like a year ago?

    --
    ____

    ~ |rip/\/\aster /\/\onkey

  2. Doesn't know diddly about hashing by fuzzy12345 · · Score: 4, Informative
    Anyone who thinks its a hash collision problem, but that only people with 'weak' passwords will be affected doesn't understand hashing.

    Anyone who, in this day and age, writes a system whereby two users assign themselves the same password and end up with the same hashed password ought to be shot. Add a little SALT!

    --

    Everybody's a libertarian 'till their neighbour's becomes a crack house.
  3. No passwords leaked by fredrikj · · Score: 2, Informative

    Quote:

    All the accounts listed on this page have been created solely for the purpose of trolling, and this page was set up to make it easier to determine whether two troll accounts belong to the same person.

    No passwords have been leaked, and the only people affected are trolls.

  4. You're missing the point by Geoffreyerffoeg · · Score: 4, Informative

    1) Those heading titles aren't the passwords themselves, just one member from the group. The original passwords are encrypted and unknown. These are users with the same hash. Nobody knows if they used a password like "my_pass_word" or like "ar49B!4Nc&&". Password strength is irrelevant. Besides, the developers of any site always have access to your password hashes, since someone needs full read access to the databases.

    2) A quick glance at those lists shows that they're all duplicate ("sock-puppet") accounts, and they're mostly from trolls. If you haven't watched Wikipedia much, you may not know the illustrious story of the sock-puppets, but even seemingly unrelated names (e.g., Lir and Pizza Puzzle) are widely believed to be the same user.

    3) This story is what they call "FUD". If someone finds a valid user's account among these, then tell the user, and say that you found one (you don't have to say who). Until then, since the page appears to be all sock puppets, don't assume that there are innocent civilians caught in the collateral damage. As the page says, "all the accounts listed on this page have been created solely for the purpose of trolling." Only when that claim is disproven does the page become a worry.

    -- User:Geoffrey on Wikipedia

    1. Re:You're missing the point by jdavidb · · Score: 2, Informative

      Until then, I'm gonna watch that page and its automated incarnation (if it occurs) very carefully.

      I hope you watch carefully enough to discover that there is no automated incarnation, that the page is a year old, and that the developer involved agreed that there were security issues, apologized, and will not do it again.

      After that your watch may get somewhat boring.

      --
      Secession is the right of all sentient beings.
  5. Re:If you're a troll on Wikipedia, by Geoffreyerffoeg · · Score: 2, Informative

    you should have used a better password anyways, there's not even numbers in those...

    Those aren't passwords. Wikipedia hashes the passwords. The titles are the name of one user in each group. The summary's assertion about strong passwords is irrelevant; the only thing they compared was the password hashes.

  6. YHBT HAND by timstarling · · Score: 5, Informative

    A few other people have said it, but you may as well hear it from the source.

    That was the only time I published such lists. They were constructed by searching the database for password matches with the few most active trolls on Wikipedia at the time. People complained about the possibility that innocent users with weak passwords might have been affected. I conceded the point, apologised, and promised not to do it again. The issue was played up at the time by the trolls who were exposed -- not surprisingly, I wasn't winning any friends in that camp. Those same trolls still whinge about the existence of the page today.

    At the time, some people wanted the page deleted to protect any innocent people who might have been listed. The majority wanted the page kept as evidence against the trolls. I had no opinion either way, and so let the page remain in accordance with community wishes.

    Nobody has ever identified a non-troll account on that page. No innocent person has complained to me that they were affected. None of the accounts (aside from the known troll accounts) had any identifying information associated with them.

  7. Wikipedia knows by Anonymous Coward · · Score: 1, Informative

    here

  8. Tempest in a teapot by Eloquence · · Score: 4, Informative
    The gist of the story, which refers to an event from July 2004 (many of the users in question have since left), is correct: there may be legitimate accounts on this list of 109 account names. However, about 90% of them are from identified and well-known trolls and problem users. It's important to know that it's relatively easy for us to block a user, but it's also relatively easy for that user to come back under a new name, especially if they use dynamic IP addresses. Many trolls also like to impersonate others (many of the listed accounts are obvious impersonations of famous Wikipedians).

    Unfortunately, Tim at the time didn't run a password checker against the hashes, which could have thrown weak passwords out of the list and thereby prevented legitimate accounts from being included with reasonable effectiveness.

    The submitter clearly has an axe to grind (and may well be identical to the comment poster). No similar lookup has taken place since July 2004, so this story is a tempest in a teapot.

    I would agree with the criticism in one regard: The decision not to delete the page was mistaken. One problem was that the deletion request came from a troll, which made a lot of people vote to keep the page "by default." The other problem is that the technical arguments to delete the page came in too late to make a difference.

    In any case, as noted, this was months ago, has not been repeated since then, and any non-troll among the listed accounts can simply change their password. We're not talking about credit card data here, anyway -- creating a Wikipedia account takes 20 seconds and doesn't even require a valid email address. All that it contains are a bunch of user preferences.

  9. Re:40 years of UNIX by odsign · · Score: 2, Informative

    In a non-bonehead password scheme, user passwords are stored after running them through a one-way hash function. A quantity of random data can be added to the password before hashing, to prevent identical passwords from producing the same hash, thus revealing the fact that they are identical. This is called a salt, and can be left out in the open. To check a password, you put the entered password and the unprotected salt together, hash them, and check the value against that stored.