Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wikipedia Leaks Some Users' Passwords

Posted by Zonk on from the not-a-good-trend dept.

JJ Budion writes "If you've signed up for an account on Wikipedia.org, you may want to check this page to make sure you're not on there. It seems certain users with identical password hashes can find other user names with the same password, and Wikipedia (despite being alerted) has done nothing about the problem for the last year. A good (although slightly inflammatory) description of the problem can be found here. This is probably a good occasion to remember to use strong passwords (apparently only users with common passwords, like dictionary words, are affected)."

36 of 238 comments (clear)

  1. A few points by daveschroeder · · Score: 5, Interesting

    To be clear, this isn't a case of Wikipedia "leaking" passwords or allowing some kind of exploit via technical means; this is Tim Starling deciding to specifically and literally publish a list of usernames that share the same password, ostensibly for the purpose of revealing trolls and flooders with multiple accounts.

    From the looks of a few of the lists (RickK, RíckK, RìckK, RiÄkK, RïckK, RiÄkK; Mäximus Rex, Maximus Rex, MaximusRex; JíangSlumDawg, JiangFlungDung; LlortTheehtTroll, LlörtTheehtTröll; The Two Trolls,The Fellowship of the Troll,The Return of the Troll,The Trolls of Navarone,Troll Silent, Troll Deep,The Trolling Stones, RangelaND Visa CONtroll), it would appear that some of these are indeed obvious duplicate accounts (whether or not they're "trolls" is, I imagine, beside the point).

    But it seems that he also caught a bunch of innocent folks who just happen to share the same password, not beyond the realm of comprehension for a password used for an "online" non-financial, non-critical site on a service with thousands of users. The submission makes it seem like Wikipedia knew about some kind of "exploit" and did nothing; rather, it seems like Wikipedia is content to let potential, and indeed confirmed in one case as admitted on the page, abuse of innocent users' privacy continue in the name of exposing possible (admittedly annoying) trolls. (That's my own take on the situation, anyway.)

    Interestingly, Wikimedia's (draft?) Privacy Policy says:

    Many aspects of the Wikimedia projects community interactions depend on the reputation and respect that is built up through a history of valued contributions. User passwords are the only guarantee of the integrity of a user's edit history. All users are encouraged to select strong passwords and to never share them. No one shall knowingly expose the password of another user to public release either directly or indirectly.

    It appears that, in this case, Wikimedia itself is implicitly "knowingly" releasing passwords to the public. One of the many problems with a community site for which there is no central responsible authority. Anyone who hasn't yet would do themselves well to read the summary of the issue linked in the submission.

  2. Well, good for me! by TheRealMindChild · · Score: 4, Funny

    I guess it is a good thing that I use "TheCowJumpedOverMyMotherInLaw" as my password... no one will ever figure that one out

    --

    "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
    1. Re:Well, good for me! by jx100 · · Score: 2, Funny

      Dammit, I need to change the code on my luggage now!

  3. If you're a troll on Wikipedia, by MrAnnoyanceToYou · · Score: 5, Interesting

    Please make yourself a new account or two. Seriously, the rather inflammatory summary didn't tip off the on-duty editor that this might not be that big a deal? 100 names out of how many? Gimmie a break.

    Additionally, every single post I've seen associated with this looks like someone just looking to drum up trouble for Wikipedia. Look at the list, and you'll notice that a lot of them, yes, are copies. And if they're not copies, you should have used a better password anyways, there's not even numbers in those... On top of that, the developer in charge of that little page seems like quite a decent fellow.

    Shame to you for not editing that summary a bit.

    --
    My little site.
    1. Re:If you're a troll on Wikipedia, by Geoffreyerffoeg · · Score: 2, Informative

      you should have used a better password anyways, there's not even numbers in those...

      Those aren't passwords. Wikipedia hashes the passwords. The titles are the name of one user in each group. The summary's assertion about strong passwords is irrelevant; the only thing they compared was the password hashes.

    2. Re:If you're a troll on Wikipedia, by NumbThumb · · Score: 2, Insightful

      mod parent up, he's right.

      Just get this into your head: no passwords have been leaked! If two of the accounts in each section where not created by the same person, then the password would be compromized (the other person would know it's the same as his/her own). But that's the only problem.

      My guess would be that this would be true for at most two pairs of accounts on that page. Bit probably, none at all.

      --
      I have discovered a truly remarkable sig which this 120 chars is too small to contain.
    3. Re:If you're a troll on Wikipedia, by Raul654 · · Score: 2, Insightful

      Yes, as a matter of fact, it *is* their fault. The people in question used sockpuppet accounts in order to cause harm to Wikipedia in all sorts of unpleasant ways (and then deny any connection to those accounts). Exposing them in the middle of their lies was sweet justice. This list would have never been published if they weren't doing this, as (just so we're clear) now that the cat's out of the bag, this trick won't be useful anymore.

      --


      To make laws that man cannot, and will not obey, serves to bring all law into contempt.
      --E.C. Stanton
    4. Re:If you're a troll on Wikipedia, by ArsenneLupin · · Score: 2, Insightful
      then the password would be compromized (the other person would know it's the same as his/her own).

      ... and, as these are passwords were singled out because at least one of the accounts was used for vandalism, chances are that the "other person" is the kind of person who you really don't want to knowingly share a password with.

      My guess would be that this would be true for at most two pairs of accounts on that page. Bit probably, none at all.

      All depends on how smart/mischievous the vandals were. If the vandals picked real common passwords, chances are they caught a couple of innocent naive bystanders.

      Ok, so now vandals have caugh a small number of accounts with really common (i.e. weak...) passwords.

      Q: Who uses weak passwords (apart from other vandals trying to pull off the same stunt)?
      A: Newbs!

      Q: And what other errors do newbs do with passwords?
      A: Reuse the same accross several sites (Slashdot, Amazon, and if the vandal is lucky: a bank...)

      See the problem?

  4. Wiki-passwords? by pianorain · · Score: 5, Funny

    Bah...you mean that I can't edit other people's passwords too?

  5. I've said it before by Anonymous Coward · · Score: 2, Funny

    and I'll say hit again, hotgrits is not a safe password

  6. "News"? by TripMaster+Monkey · · Score: 4, Informative


    Um...didn't this happen like a year ago?

    --
    ____

    ~ |rip/\/\aster /\/\onkey

  7. Shame on Wiki by goldspider · · Score: 3, Insightful

    If they're going to succeed in portraying Wikipedia as a mature, reliable alternative to traditional encyclopedias, then they aught to make damned sure that their ducks are in a row. Their disregard of customer concerns is a shameful.

    If, in the long-term, Wikipedia's image is tarnished by this, it is well-deserved.

    --
    "Ask not what your country can do for you." --John F. Kennedy
    1. Re:Shame on Wiki by Rei · · Score: 4, Funny

      You did your post wrong, and are just asking to have other editors come along and fix it for you. To save this from a hundred edits, I'll go ahead and try to get them all at once:

      If they're going to succeed in portraying Wikipedia as a mature, reliable alternative to traditional encyclopedias, they ought to make damned sure that their ducks are in a row. Their disregard for customer concerns is shameful.

      If, in the long-term, Wikipedia's image is tarnished by this, it is well-deserved.

      See also:
      * Wikipedia (external link)

      --
      Aeris Died For Your Sins.
  8. the two guys by Anonymous Coward · · Score: 5, Funny

    the two guys with "Ilovetehfatchicks" as their password who showed up on each others list are just looking at each other right now. They know the other guy knows, but nobody else does, so the uncomfortable, pregnant, silence continues.

  9. 1 2 3 4 5 by bestguruever · · Score: 2, Funny

    Cue the spaceballs references ...

    --
    if you think this is bad, you should have seen my last sig
  10. Passwords... by aicrules · · Score: 2, Funny

    Perhaps they should try this:

    http://en.wikipedia.org/wiki/Password_policy

    to try to avoid this:

    http://en.wikipedia.org/wiki/Password_cracking

  11. 40 years of UNIX by Jeffrey+Baker · · Score: 4, Insightful

    Salt, anyone?

    1. Re:40 years of UNIX by odsign · · Score: 2, Informative

      In a non-bonehead password scheme, user passwords are stored after running them through a one-way hash function. A quantity of random data can be added to the password before hashing, to prevent identical passwords from producing the same hash, thus revealing the fact that they are identical. This is called a salt, and can be left out in the open. To check a password, you put the entered password and the unprotected salt together, hash them, and check the value against that stored.

  12. Doesn't know diddly about hashing by fuzzy12345 · · Score: 4, Informative
    Anyone who thinks its a hash collision problem, but that only people with 'weak' passwords will be affected doesn't understand hashing.

    Anyone who, in this day and age, writes a system whereby two users assign themselves the same password and end up with the same hashed password ought to be shot. Add a little SALT!

    --

    Everybody's a libertarian 'till their neighbour's becomes a crack house.
    1. Re:Doesn't know diddly about hashing by Nytewynd · · Score: 2, Interesting

      The funny thing is that someone's uber-secure password might be hashed right onto a dictionary word if the coder is a clown. Imagine finding out your password of "7,g/1jI-1?m" got hacked because it hashed onto "password".

      --
      /. ++
  13. Saw this on K5 by Nos. · · Score: 2

    I really believe this is an abuse of privileges, or a gross security oversite by Tim Starling. Knowing this information, I could likely gain access to these users' accounts on other, completely unrelated systems. Suppose I was on one of those lists (I'm not). Immediately, I know the password of everyone in my group. Now, suppose I start searching other sites, like /. for those usernames. Think they might use the same password on two different systems?

    1. Re:Saw this on K5 by aicrules · · Score: 2, Funny
      Think they might use the same password on two different systems?

      Not me! You couldn't hack into my account that way! No siree! I always use different passwords for each site that I'm on. That way, even if the site is unscrupulous I have nothing to worry about on the other 500 sites I have accounts on.

      Unfortunately, to remember them all I just use the name of the site as the password for my account.
  14. Whew, I'm safe! by sveskemus · · Score: 2, Funny

    Good thing my password is *********.

    --
    Noise Is Music Podcast.
  15. No passwords leaked by fredrikj · · Score: 2, Informative

    Quote:

    All the accounts listed on this page have been created solely for the purpose of trolling, and this page was set up to make it easier to determine whether two troll accounts belong to the same person.

    No passwords have been leaked, and the only people affected are trolls.

  16. I use my dog's name as my password. by Anonymous Coward · · Score: 2, Funny

    I use my dog's name as my password.
    My dog's name is currently "rV4q-p2", but I change it every 90 days.

  17. You're missing the point by Geoffreyerffoeg · · Score: 4, Informative

    1) Those heading titles aren't the passwords themselves, just one member from the group. The original passwords are encrypted and unknown. These are users with the same hash. Nobody knows if they used a password like "my_pass_word" or like "ar49B!4Nc&&". Password strength is irrelevant. Besides, the developers of any site always have access to your password hashes, since someone needs full read access to the databases.

    2) A quick glance at those lists shows that they're all duplicate ("sock-puppet") accounts, and they're mostly from trolls. If you haven't watched Wikipedia much, you may not know the illustrious story of the sock-puppets, but even seemingly unrelated names (e.g., Lir and Pizza Puzzle) are widely believed to be the same user.

    3) This story is what they call "FUD". If someone finds a valid user's account among these, then tell the user, and say that you found one (you don't have to say who). Until then, since the page appears to be all sock puppets, don't assume that there are innocent civilians caught in the collateral damage. As the page says, "all the accounts listed on this page have been created solely for the purpose of trolling." Only when that claim is disproven does the page become a worry.

    -- User:Geoffrey on Wikipedia

    1. Re:You're missing the point by idontgno · · Score: 3, Insightful
      Those heading titles aren't the passwords themselves, just one member from the group. The original passwords are encrypted and unknown. These are users with the same hash.

      Yes, and as such everyone in the same heading now knows the password for everyone else in the same heading. Given the high likelihood that many of the accounts are trolls, that means if innocent Wikipedian "you" happen to share a password with a troll, that troll knows it now. Lucky you.

      they're mostly from trolls.

      What, only "mostly"? Not a very strong assertion in the face of a potential privacy violation. C'mon, if you're gonna assert that you intend to "out" only the trolls, you need to stick to the story. Admitting that the list is "mostly" trolls is admitting that the list is "partially" innocents. Who have now been screwed.

      As the page says, "all the accounts listed on this page have been created solely for the purpose of trolling."

      Well, then, obviously there's no story. Silly us. The creator of the page says there's no innocents listed, therefore there are no innocents listed.

      In related news, Microsoft Windows is the most secure server OS EVAR!!! MS's Marketing department sed so!

      Only when that claim is disproven does the page become a worry.

      No, in a sane world, the page is a worry until the counterclaim is positively proven: that there are demonstrably no innocent user IDs on the page.

      Until then, I'm gonna watch that page and its automated incarnation (if it occurs) very carefully. I have been a moderately active Wikipedian up until now, but if I'm gonna get carpet-bombed just because I accidentally move in next door to a troll, I'll find someplace else to contribute.

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
    2. Re:You're missing the point by jdavidb · · Score: 2, Informative

      Until then, I'm gonna watch that page and its automated incarnation (if it occurs) very carefully.

      I hope you watch carefully enough to discover that there is no automated incarnation, that the page is a year old, and that the developer involved agreed that there were security issues, apologized, and will not do it again.

      After that your watch may get somewhat boring.

      --
      Secession is the right of all sentient beings.
  18. This whole story is flamebait by Raul654 · · Score: 4, Interesting

    First, this was not a technical flaw - this was one developer intentionally looking for identical password hashes. Second, this is not news - the page in question was created last July as a one time thing to flush out trolls.

    Why would we publish a list of account with identical passwords? Because certain trolls are known to register multiple accounts with the same password, and use them to troll, vote stuff, and all sorts of other unpleasant activities. Of course, many times, it is not hard to guess who those accounts belong to based on editing habits, but of course the trolls in question will deny it. But being matched by password was a one-time way to shoot through all their lies. This whole story is old, and the summery is horrible biased.

    --


    To make laws that man cannot, and will not obey, serves to bring all law into contempt.
    --E.C. Stanton
  19. Re:Still Waiting by fredrikj · · Score: 2, Funny

    I'm still waiting on who actually uses Wikipedia as their primary source of information.

    According to this page I found, which seems reliable, "Its articles have been cited by the mass media and academia."

  20. YHBT HAND by timstarling · · Score: 5, Informative

    A few other people have said it, but you may as well hear it from the source.

    That was the only time I published such lists. They were constructed by searching the database for password matches with the few most active trolls on Wikipedia at the time. People complained about the possibility that innocent users with weak passwords might have been affected. I conceded the point, apologised, and promised not to do it again. The issue was played up at the time by the trolls who were exposed -- not surprisingly, I wasn't winning any friends in that camp. Those same trolls still whinge about the existence of the page today.

    At the time, some people wanted the page deleted to protect any innocent people who might have been listed. The majority wanted the page kept as evidence against the trolls. I had no opinion either way, and so let the page remain in accordance with community wishes.

    Nobody has ever identified a non-troll account on that page. No innocent person has complained to me that they were affected. None of the accounts (aside from the known troll accounts) had any identifying information associated with them.

  21. Obligatory bash.org by nganju · · Score: 3, Funny

    Cthon98> hey, if you type in your pw, it will show as stars
    Cthon98> ********* see!
    AzureDiamond> hunter2
    AzureDiamond> doesnt look like stars to me
    Cthon98> *******
    Cthon98> thats what I see
    AzureDiamond> oh, really?
    Cthon98> Absolutely
    AzureDiamond> you can go hunter2 my hunter2-ing hunter2
    AzureDiamond> haha, does that look funny to you?
    Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
    AzureDiamond> thats neat, I didnt know IRC did that
    Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
    AzureDiamond> awesome!
    AzureDiamond> wait, how do you know my pw?
    Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
    AzureDiamond> oh, ok.

    --
    There are 2 kinds of people in this world. Those that can keep their train of thought,
  22. Tempest in a teapot by Eloquence · · Score: 4, Informative
    The gist of the story, which refers to an event from July 2004 (many of the users in question have since left), is correct: there may be legitimate accounts on this list of 109 account names. However, about 90% of them are from identified and well-known trolls and problem users. It's important to know that it's relatively easy for us to block a user, but it's also relatively easy for that user to come back under a new name, especially if they use dynamic IP addresses. Many trolls also like to impersonate others (many of the listed accounts are obvious impersonations of famous Wikipedians).

    Unfortunately, Tim at the time didn't run a password checker against the hashes, which could have thrown weak passwords out of the list and thereby prevented legitimate accounts from being included with reasonable effectiveness.

    The submitter clearly has an axe to grind (and may well be identical to the comment poster). No similar lookup has taken place since July 2004, so this story is a tempest in a teapot.

    I would agree with the criticism in one regard: The decision not to delete the page was mistaken. One problem was that the deletion request came from a troll, which made a lot of people vote to keep the page "by default." The other problem is that the technical arguments to delete the page came in too late to make a difference.

    In any case, as noted, this was months ago, has not been repeated since then, and any non-troll among the listed accounts can simply change their password. We're not talking about credit card data here, anyway -- creating a Wikipedia account takes 20 seconds and doesn't even require a valid email address. All that it contains are a bunch of user preferences.

  23. Two lessons here: by callipygian-showsyst · · Score: 2, Insightful

    1. You should never have a password appear in a publically readable "hash" or URL parameter, even if it's one-way encrypted

    2. You should NEVER use a password for a site that's the same as an important password

    I tend to have three tiers of password:

    1. "junk" passwords for non-critical sites (like /. or nytimes registration) that don't really matter

    2. secure passwords for web-based email, etc, that I wouldn't want getting out

    3. High-security passwords for banking, etc (these are different for each site, and I write them down and keep the list in my safe.)

    --
    Best Buy can have you arrested
  24. An Outrage! by Anonymous Coward · · Score: 2, Insightful

    That worthless Microsoft..., wait I mean switch to Lin..., I mean stupid DMCA lawyer...oh nevermind, someone that we all like is at fault, we'll ignore it.

  25. Re:accusing the author of trolling to distract us by STrinity · · Score: 3, Insightful

    Trolls deserve nothing.

    Frankly, I don't care if they rape nuns, kill puppies for sport, and eat kittens for breakfast. You should not compromise security, even this trivially, for any reason.

    If you were so stupid as to use a common word for a password and couldn't even be bothered to do something like change it to "pass45word" then you deserve whatever happens.

    It's Wikipedia, not Amazon or PayPal. Most people don't care enough to use a strong password.

    --
    Les Miserables Volume 1 now up with my reading of