Wikipedia Leaks Some Users' Passwords

JJ Budion writes "If you've signed up for an account on Wikipedia.org, you may want to check this page to make sure you're not on there. It seems certain users with identical password hashes can find other user names with the same password, and Wikipedia (despite being alerted) has done nothing about the problem for the last year. A good (although slightly inflammatory) description of the problem can be found here. This is probably a good occasion to remember to use strong passwords (apparently only users with common passwords, like dictionary words, are affected)."

Shame on Wiki

[goldspider]

If they're going to succeed in portraying Wikipedia as a mature, reliable alternative to traditional encyclopedias, then they aught to make damned sure that their ducks are in a row. Their disregard of customer concerns is a shameful.

If, in the long-term, Wikipedia's image is tarnished by this, it is well-deserved.

40 years of UNIX

[Jeffrey+Baker]

Salt, anyone?

Re:You're missing the point

[idontgno]

Those heading titles aren't the passwords themselves, just one member from the group. The original passwords are encrypted and unknown. These are users with the same hash.

Yes, and as such everyone in the same heading now knows the password for everyone else in the same heading. Given the high likelihood that many of the accounts are trolls, that means if innocent Wikipedian "you" happen to share a password with a troll, that troll knows it now. Lucky you.

they're mostly from trolls.

What, only "mostly"? Not a very strong assertion in the face of a potential privacy violation. C'mon, if you're gonna assert that you intend to "out" only the trolls, you need to stick to the story. Admitting that the list is "mostly" trolls is admitting that the list is "partially" innocents. Who have now been screwed.

As the page says, "all the accounts listed on this page have been created solely for the purpose of trolling."

Well, then, obviously there's no story. Silly us. The creator of the page says there's no innocents listed, therefore there are no innocents listed.

In related news, Microsoft Windows is the most secure server OS EVAR!!! MS's Marketing department sed so!

Only when that claim is disproven does the page become a worry.

No, in a sane world, the page is a worry until the counterclaim is positively proven: that there are demonstrably no innocent user IDs on the page.

Until then, I'm gonna watch that page and its automated incarnation (if it occurs) very carefully. I have been a moderately active Wikipedian up until now, but if I'm gonna get carpet-bombed just because I accidentally move in next door to a troll, I'll find someplace else to contribute.

Re:If you're a troll on Wikipedia,

[NumbThumb]

mod parent up, he's right.

Just get this into your head: no passwords have been leaked! If two of the accounts in each section where not created by the same person, then the password would be compromized (the other person would know it's the same as his/her own). But that's the only problem.

My guess would be that this would be true for at most two pairs of accounts on that page. Bit probably, none at all.

Two lessons here:

[callipygian-showsyst]

1. You should never have a password appear in a publically readable "hash" or URL parameter, even if it's one-way encrypted

2. You should NEVER use a password for a site that's the same as an important password

I tend to have three tiers of password:

1. "junk" passwords for non-critical sites (like /. or nytimes registration) that don't really matter

2. secure passwords for web-based email, etc, that I wouldn't want getting out

3. High-security passwords for banking, etc (these are different for each site, and I write them down and keep the list in my safe.)

Re:If you're a troll on Wikipedia,

[Raul654]

Yes, as a matter of fact, it *is* their fault. The people in question used sockpuppet accounts in order to cause harm to Wikipedia in all sorts of unpleasant ways (and then deny any connection to those accounts). Exposing them in the middle of their lies was sweet justice. This list would have never been published if they weren't doing this, as (just so we're clear) now that the cat's out of the bag, this trick won't be useful anymore.

Re:If you're a troll on Wikipedia,

[ArsenneLupin]

then the password would be compromized (the other person would know it's the same as his/her own).

... and, as these are passwords were singled out because at least one of the accounts was used for vandalism, chances are that the "other person" is the kind of person who you really don't want to knowingly share a password with.

My guess would be that this would be true for at most two pairs of accounts on that page. Bit probably, none at all.

All depends on how smart/mischievous the vandals were. If the vandals picked real common passwords, chances are they caught a couple of innocent naive bystanders.

Ok, so now vandals have caugh a small number of accounts with really common (i.e. weak...) passwords.

Q: Who uses weak passwords (apart from other vandals trying to pull off the same stunt)?
A: Newbs!

Q: And what other errors do newbs do with passwords?
A: Reuse the same accross several sites (Slashdot, Amazon, and if the vandal is lucky: a bank...)

See the problem?

An Outrage!

That worthless Microsoft..., wait I mean switch to Lin..., I mean stupid DMCA lawyer...oh nevermind, someone that we all like is at fault, we'll ignore it.

Re:accusing the author of trolling to distract us

[STrinity]

Trolls deserve nothing.

Frankly, I don't care if they rape nuns, kill puppies for sport, and eat kittens for breakfast. You should not compromise security, even this trivially, for any reason.

If you were so stupid as to use a common word for a password and couldn't even be bothered to do something like change it to "pass45word" then you deserve whatever happens.

It's Wikipedia, not Amazon or PayPal. Most people don't care enough to use a strong password.