Wikipedia Leaks Some Users' Passwords

JJ Budion writes "If you've signed up for an account on Wikipedia.org, you may want to check this page to make sure you're not on there. It seems certain users with identical password hashes can find other user names with the same password, and Wikipedia (despite being alerted) has done nothing about the problem for the last year. A good (although slightly inflammatory) description of the problem can be found here. This is probably a good occasion to remember to use strong passwords (apparently only users with common passwords, like dictionary words, are affected)."

A few points

[daveschroeder]

To be clear, this isn't a case of Wikipedia "leaking" passwords or allowing some kind of exploit via technical means; this is Tim Starling deciding to specifically and literally publish a list of usernames that share the same password, ostensibly for the purpose of revealing trolls and flooders with multiple accounts.

From the looks of a few of the lists (RickK, RíckK, RìckK, RiÄkK, RïckK, RiÄkK; Mäximus Rex, Maximus Rex, MaximusRex; JíangSlumDawg, JiangFlungDung; LlortTheehtTroll, LlörtTheehtTröll; The Two Trolls,The Fellowship of the Troll,The Return of the Troll,The Trolls of Navarone,Troll Silent, Troll Deep,The Trolling Stones, RangelaND Visa CONtroll), it would appear that some of these are indeed obvious duplicate accounts (whether or not they're "trolls" is, I imagine, beside the point).

But it seems that he also caught a bunch of innocent folks who just happen to share the same password, not beyond the realm of comprehension for a password used for an "online" non-financial, non-critical site on a service with thousands of users. The submission makes it seem like Wikipedia knew about some kind of "exploit" and did nothing; rather, it seems like Wikipedia is content to let potential, and indeed confirmed in one case as admitted on the page, abuse of innocent users' privacy continue in the name of exposing possible (admittedly annoying) trolls. (That's my own take on the situation, anyway.)

Interestingly, Wikimedia's (draft?) Privacy Policy says:

Many aspects of the Wikimedia projects community interactions depend on the reputation and respect that is built up through a history of valued contributions. User passwords are the only guarantee of the integrity of a user's edit history. All users are encouraged to select strong passwords and to never share them. No one shall knowingly expose the password of another user to public release either directly or indirectly.

It appears that, in this case, Wikimedia itself is implicitly "knowingly" releasing passwords to the public. One of the many problems with a community site for which there is no central responsible authority. Anyone who hasn't yet would do themselves well to read the summary of the issue linked in the submission.

If you're a troll on Wikipedia,

[MrAnnoyanceToYou]

Please make yourself a new account or two. Seriously, the rather inflammatory summary didn't tip off the on-duty editor that this might not be that big a deal? 100 names out of how many? Gimmie a break.

Additionally, every single post I've seen associated with this looks like someone just looking to drum up trouble for Wikipedia. Look at the list, and you'll notice that a lot of them, yes, are copies. And if they're not copies, you should have used a better password anyways, there's not even numbers in those... On top of that, the developer in charge of that little page seems like quite a decent fellow.

Shame to you for not editing that summary a bit.

Re:Doesn't know diddly about hashing

[Nytewynd]

The funny thing is that someone's uber-secure password might be hashed right onto a dictionary word if the coder is a clown. Imagine finding out your password of "7,g/1jI-1?m" got hacked because it hashed onto "password".

This whole story is flamebait

[Raul654]

First, this was not a technical flaw - this was one developer intentionally looking for identical password hashes. Second, this is not news - the page in question was created last July as a one time thing to flush out trolls.

Why would we publish a list of account with identical passwords? Because certain trolls are known to register multiple accounts with the same password, and use them to troll, vote stuff, and all sorts of other unpleasant activities. Of course, many times, it is not hard to guess who those accounts belong to based on editing habits, but of course the trolls in question will deny it. But being matched by password was a one-time way to shoot through all their lies. This whole story is old, and the summery is horrible biased.