Slashdot Mirror
Wikipedia Leaks Some Users' Passwords
JJ Budion writes "If you've signed up for an account on Wikipedia.org, you may want to check this page to make sure you're not on there. It seems certain users with identical password hashes can find other user names with the same password, and Wikipedia (despite being alerted) has done nothing about the problem for the last year. A good (although slightly inflammatory) description of the problem can be found here. This is probably a good occasion to remember to use strong passwords (apparently only users with common passwords, like dictionary words, are affected)."
To be clear, this isn't a case of Wikipedia "leaking" passwords or allowing some kind of exploit via technical means; this is Tim Starling deciding to specifically and literally publish a list of usernames that share the same password, ostensibly for the purpose of revealing trolls and flooders with multiple accounts.
From the looks of a few of the lists (RickK, RíckK, RìckK, RiÄkK, RïckK, RiÄkK; Mäximus Rex, Maximus Rex, MaximusRex; JíangSlumDawg, JiangFlungDung; LlortTheehtTroll, LlörtTheehtTröll; The Two Trolls,The Fellowship of the Troll,The Return of the Troll,The Trolls of Navarone,Troll Silent, Troll Deep,The Trolling Stones, RangelaND Visa CONtroll), it would appear that some of these are indeed obvious duplicate accounts (whether or not they're "trolls" is, I imagine, beside the point).
But it seems that he also caught a bunch of innocent folks who just happen to share the same password, not beyond the realm of comprehension for a password used for an "online" non-financial, non-critical site on a service with thousands of users. The submission makes it seem like Wikipedia knew about some kind of "exploit" and did nothing; rather, it seems like Wikipedia is content to let potential, and indeed confirmed in one case as admitted on the page, abuse of innocent users' privacy continue in the name of exposing possible (admittedly annoying) trolls. (That's my own take on the situation, anyway.)
Interestingly, Wikimedia's (draft?) Privacy Policy says:
Many aspects of the Wikimedia projects community interactions depend on the reputation and respect that is built up through a history of valued contributions. User passwords are the only guarantee of the integrity of a user's edit history. All users are encouraged to select strong passwords and to never share them. No one shall knowingly expose the password of another user to public release either directly or indirectly.
It appears that, in this case, Wikimedia itself is implicitly "knowingly" releasing passwords to the public. One of the many problems with a community site for which there is no central responsible authority. Anyone who hasn't yet would do themselves well to read the summary of the issue linked in the submission.
I guess it is a good thing that I use "TheCowJumpedOverMyMotherInLaw" as my password... no one will ever figure that one out
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
Please make yourself a new account or two. Seriously, the rather inflammatory summary didn't tip off the on-duty editor that this might not be that big a deal? 100 names out of how many? Gimmie a break.
Additionally, every single post I've seen associated with this looks like someone just looking to drum up trouble for Wikipedia. Look at the list, and you'll notice that a lot of them, yes, are copies. And if they're not copies, you should have used a better password anyways, there's not even numbers in those... On top of that, the developer in charge of that little page seems like quite a decent fellow.
Shame to you for not editing that summary a bit.
My little site.
Bah...you mean that I can't edit other people's passwords too?
Um...didn't this happen like a year ago?
____
~ |rip/\/\aster /\/\onkey
If they're going to succeed in portraying Wikipedia as a mature, reliable alternative to traditional encyclopedias, then they aught to make damned sure that their ducks are in a row. Their disregard of customer concerns is a shameful.
If, in the long-term, Wikipedia's image is tarnished by this, it is well-deserved.
"Ask not what your country can do for you." --John F. Kennedy
the two guys with "Ilovetehfatchicks" as their password who showed up on each others list are just looking at each other right now. They know the other guy knows, but nobody else does, so the uncomfortable, pregnant, silence continues.
Salt, anyone?
Anyone who, in this day and age, writes a system whereby two users assign themselves the same password and end up with the same hashed password ought to be shot. Add a little SALT!
Everybody's a libertarian 'till their neighbour's becomes a crack house.
1) Those heading titles aren't the passwords themselves, just one member from the group. The original passwords are encrypted and unknown. These are users with the same hash. Nobody knows if they used a password like "my_pass_word" or like "ar49B!4Nc&&". Password strength is irrelevant. Besides, the developers of any site always have access to your password hashes, since someone needs full read access to the databases.
2) A quick glance at those lists shows that they're all duplicate ("sock-puppet") accounts, and they're mostly from trolls. If you haven't watched Wikipedia much, you may not know the illustrious story of the sock-puppets, but even seemingly unrelated names (e.g., Lir and Pizza Puzzle) are widely believed to be the same user.
3) This story is what they call "FUD". If someone finds a valid user's account among these, then tell the user, and say that you found one (you don't have to say who). Until then, since the page appears to be all sock puppets, don't assume that there are innocent civilians caught in the collateral damage. As the page says, "all the accounts listed on this page have been created solely for the purpose of trolling." Only when that claim is disproven does the page become a worry.
-- User:Geoffrey on Wikipedia
First, this was not a technical flaw - this was one developer intentionally looking for identical password hashes. Second, this is not news - the page in question was created last July as a one time thing to flush out trolls.
Why would we publish a list of account with identical passwords? Because certain trolls are known to register multiple accounts with the same password, and use them to troll, vote stuff, and all sorts of other unpleasant activities. Of course, many times, it is not hard to guess who those accounts belong to based on editing habits, but of course the trolls in question will deny it. But being matched by password was a one-time way to shoot through all their lies. This whole story is old, and the summery is horrible biased.
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
A few other people have said it, but you may as well hear it from the source.
That was the only time I published such lists. They were constructed by searching the database for password matches with the few most active trolls on Wikipedia at the time. People complained about the possibility that innocent users with weak passwords might have been affected. I conceded the point, apologised, and promised not to do it again. The issue was played up at the time by the trolls who were exposed -- not surprisingly, I wasn't winning any friends in that camp. Those same trolls still whinge about the existence of the page today.
At the time, some people wanted the page deleted to protect any innocent people who might have been listed. The majority wanted the page kept as evidence against the trolls. I had no opinion either way, and so let the page remain in accordance with community wishes.
Nobody has ever identified a non-troll account on that page. No innocent person has complained to me that they were affected. None of the accounts (aside from the known troll accounts) had any identifying information associated with them.
Cthon98> hey, if you type in your pw, it will show as stars
Cthon98> ********* see!
AzureDiamond> hunter2
AzureDiamond> doesnt look like stars to me
Cthon98> *******
Cthon98> thats what I see
AzureDiamond> oh, really?
Cthon98> Absolutely
AzureDiamond> you can go hunter2 my hunter2-ing hunter2
AzureDiamond> haha, does that look funny to you?
Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
AzureDiamond> thats neat, I didnt know IRC did that
Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
AzureDiamond> awesome!
AzureDiamond> wait, how do you know my pw?
Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
AzureDiamond> oh, ok.
There are 2 kinds of people in this world. Those that can keep their train of thought,
Unfortunately, Tim at the time didn't run a password checker against the hashes, which could have thrown weak passwords out of the list and thereby prevented legitimate accounts from being included with reasonable effectiveness.
The submitter clearly has an axe to grind (and may well be identical to the comment poster). No similar lookup has taken place since July 2004, so this story is a tempest in a teapot.
I would agree with the criticism in one regard: The decision not to delete the page was mistaken. One problem was that the deletion request came from a troll, which made a lot of people vote to keep the page "by default." The other problem is that the technical arguments to delete the page came in too late to make a difference.
In any case, as noted, this was months ago, has not been repeated since then, and any non-troll among the listed accounts can simply change their password. We're not talking about credit card data here, anyway -- creating a Wikipedia account takes 20 seconds and doesn't even require a valid email address. All that it contains are a bunch of user preferences.
Trolls deserve nothing.
Frankly, I don't care if they rape nuns, kill puppies for sport, and eat kittens for breakfast. You should not compromise security, even this trivially, for any reason.
If you were so stupid as to use a common word for a password and couldn't even be bothered to do something like change it to "pass45word" then you deserve whatever happens.
It's Wikipedia, not Amazon or PayPal. Most people don't care enough to use a strong password.
Les Miserables Volume 1 now up with my reading of