Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wikipedia Leaks Some Users' Passwords

Posted by Zonk on from the not-a-good-trend dept.

JJ Budion writes "If you've signed up for an account on Wikipedia.org, you may want to check this page to make sure you're not on there. It seems certain users with identical password hashes can find other user names with the same password, and Wikipedia (despite being alerted) has done nothing about the problem for the last year. A good (although slightly inflammatory) description of the problem can be found here. This is probably a good occasion to remember to use strong passwords (apparently only users with common passwords, like dictionary words, are affected)."

5 of 238 comments (clear)

  1. A few points by daveschroeder · · Score: 5, Interesting

    To be clear, this isn't a case of Wikipedia "leaking" passwords or allowing some kind of exploit via technical means; this is Tim Starling deciding to specifically and literally publish a list of usernames that share the same password, ostensibly for the purpose of revealing trolls and flooders with multiple accounts.

    From the looks of a few of the lists (RickK, RíckK, RìckK, RiÄkK, RïckK, RiÄkK; Mäximus Rex, Maximus Rex, MaximusRex; JíangSlumDawg, JiangFlungDung; LlortTheehtTroll, LlörtTheehtTröll; The Two Trolls,The Fellowship of the Troll,The Return of the Troll,The Trolls of Navarone,Troll Silent, Troll Deep,The Trolling Stones, RangelaND Visa CONtroll), it would appear that some of these are indeed obvious duplicate accounts (whether or not they're "trolls" is, I imagine, beside the point).

    But it seems that he also caught a bunch of innocent folks who just happen to share the same password, not beyond the realm of comprehension for a password used for an "online" non-financial, non-critical site on a service with thousands of users. The submission makes it seem like Wikipedia knew about some kind of "exploit" and did nothing; rather, it seems like Wikipedia is content to let potential, and indeed confirmed in one case as admitted on the page, abuse of innocent users' privacy continue in the name of exposing possible (admittedly annoying) trolls. (That's my own take on the situation, anyway.)

    Interestingly, Wikimedia's (draft?) Privacy Policy says:

    Many aspects of the Wikimedia projects community interactions depend on the reputation and respect that is built up through a history of valued contributions. User passwords are the only guarantee of the integrity of a user's edit history. All users are encouraged to select strong passwords and to never share them. No one shall knowingly expose the password of another user to public release either directly or indirectly.

    It appears that, in this case, Wikimedia itself is implicitly "knowingly" releasing passwords to the public. One of the many problems with a community site for which there is no central responsible authority. Anyone who hasn't yet would do themselves well to read the summary of the issue linked in the submission.

  2. If you're a troll on Wikipedia, by MrAnnoyanceToYou · · Score: 5, Interesting

    Please make yourself a new account or two. Seriously, the rather inflammatory summary didn't tip off the on-duty editor that this might not be that big a deal? 100 names out of how many? Gimmie a break.

    Additionally, every single post I've seen associated with this looks like someone just looking to drum up trouble for Wikipedia. Look at the list, and you'll notice that a lot of them, yes, are copies. And if they're not copies, you should have used a better password anyways, there's not even numbers in those... On top of that, the developer in charge of that little page seems like quite a decent fellow.

    Shame to you for not editing that summary a bit.

    --
    My little site.
  3. Wiki-passwords? by pianorain · · Score: 5, Funny

    Bah...you mean that I can't edit other people's passwords too?

  4. the two guys by Anonymous Coward · · Score: 5, Funny

    the two guys with "Ilovetehfatchicks" as their password who showed up on each others list are just looking at each other right now. They know the other guy knows, but nobody else does, so the uncomfortable, pregnant, silence continues.

  5. YHBT HAND by timstarling · · Score: 5, Informative

    A few other people have said it, but you may as well hear it from the source.

    That was the only time I published such lists. They were constructed by searching the database for password matches with the few most active trolls on Wikipedia at the time. People complained about the possibility that innocent users with weak passwords might have been affected. I conceded the point, apologised, and promised not to do it again. The issue was played up at the time by the trolls who were exposed -- not surprisingly, I wasn't winning any friends in that camp. Those same trolls still whinge about the existence of the page today.

    At the time, some people wanted the page deleted to protect any innocent people who might have been listed. The majority wanted the page kept as evidence against the trolls. I had no opinion either way, and so let the page remain in accordance with community wishes.

    Nobody has ever identified a non-troll account on that page. No innocent person has complained to me that they were affected. None of the accounts (aside from the known troll accounts) had any identifying information associated with them.