Talk:Wikimedia Security Team/Password strengthening 2019
Jump to navigation
Jump to search
(newest | oldest) View (newer 50 | older 50) (20 | 50 | 100 | 250 | 500)
- (cur prev topic) 18:42, 9 November 2019 . . Manorainjan (talk | contribs) commented on "Beyond the scope of the NIST paper!" (The initial statement was: "The Wikimedia Security team has chosen to base our requirements on the National Institute of Standards and Te...) . . +537
- (cur prev topic) 18:34, 9 November 2019 . . Manorainjan (talk | contribs) commented on "Warn, not require? Remember previous RfC??" (In the NIST paper it is mentioned: A.1 Introduction Despite widespread frustration with the use of passwords from both a usability and se...) . . +1,088
- (cur prev topic) 08:07, 15 December 2018 . . Incnis Mrsi (talk | contribs) commented on "Extra user rights and definition of "character"" (If the current code counts bytes, then you should document that some gap exists between the policy and its actual software enforcement.) . . +135
- (cur prev topic) 01:56, 13 December 2018 . . Tgr (talk | contribs) commented on "More potential privileged groups" (Edit filter managers, too. They are not that dangerous actually, but can see some private data.) . . +95
- (cur prev topic) 22:17, 12 December 2018 . . Krenair (talk | contribs) commented on "More potential privileged groups" (Interface administrators are on there @Salvidrim!) . . +64
- (cur prev topic) 21:52, 12 December 2018 . . Salvidrim! (talk | contribs) commented on "More potential privileged groups" (I see "Global interface editors" on the list, but not local Interface Administrators (aka techadmins, see enwiki page). I also think edit...) . . +320
- (cur prev topic) 00:35, 12 December 2018 . . NickK (talk | contribs) commented on "Is the top-100K password list really universal?" (@CKoerner (WMF): I agree that this is a real list of passwords used by real people. I just believe that for some reason this list include...) . . +1,639
- (cur prev topic) 22:47, 10 December 2018 . . TBolliger (WMF) (talk | contribs) commented on "Extra user rights and definition of "character"" (You are correct — this is lax. The Wikimedia Foundation's Security team is aware of this shortcoming and may want to address it in the fu...) . . +166
- (cur prev topic) 18:44, 10 December 2018 . . Jdforrester (WMF) (talk | contribs) marked the topic "Password requirements" as resolved (marked as resolved) . . 0
- (cur prev topic) 18:18, 10 December 2018 . . Jdforrester (WMF) (talk | contribs) marked the topic "Based on NIST" as resolved (marked as resolved) . . 0
- (cur prev topic) 15:49, 10 December 2018 . . CKoerner (WMF) (talk | contribs) commented on "Is the top-100K password list really universal?" (The list of passwords is based upon the Weakpass project's best wordlists. The list is based upon real passwords used by people from vari...) . . +408
- (cur prev topic) 14:59, 10 December 2018 . . CKoerner (WMF) (talk | contribs) commented on "Based on NIST" (There's a reference to the NIST guidelines in the Password requirements section. https://pages.nist.gov/800-63-3/sp800-63b.html) . . +129
- (cur prev topic) 10:04, 10 December 2018 . . Bawolff (talk | contribs) commented on "Extra user rights and definition of "character"" (I think passwords get converted to NFC - so if we were counting code points instead of bytes common (but not all) accented latin characte...) . . +244
- (cur prev topic) 08:36, 10 December 2018 . . Tgr (talk | contribs) commented on "Extra user rights and definition of "character"" (Filed as T211550. Seems like a nontrivial problem though - accented latin characters probably shouldn't count double, emojis probably sho...) . . +297
- (cur prev topic) 22:15, 9 December 2018 . . Tgr (talk | contribs) commented on "Password requirements" (FWIW even against bruteforcing by an attacker with access to the hash, 8 random characters are not really weak. If you use PBKDF2 with 10...) . . +420
- (cur prev topic) 22:00, 9 December 2018 . . Multichill (talk | contribs) commented on "Password requirements" (You're making a classic mistake here. The 8 character password is weak is based on the assumption you can a do a Brute-force attack. In t...) . . +463
- (cur prev topic) 21:54, 9 December 2018 . . Bawolff (talk | contribs) edited a post on "Extra user rights and definition of "character"" . . +16
- (cur prev topic) 21:54, 9 December 2018 . . Bawolff (talk | contribs) commented on "Extra user rights and definition of "character"" (Current code (Unless someone is planning to change it) is checking number of bytes. So a unicode code point can be between 1-4 bytes depe...) . . +504
- (cur prev topic) 19:01, 9 December 2018 . . ToBeFree (talk | contribs) edited a post on "Password requirements" . . +82
- (cur prev topic) 18:55, 9 December 2018 . . ToBeFree (talk | contribs) commented on "Password requirements" (8 character Unicode passwords surely can not be broken within hours by any means available on Earth. Do you mean "8 lowercase letters?") . . +135
- (cur prev topic) 13:03, 9 December 2018 . . Multichill (talk | contribs) commented on "Based on NIST" (Did you base your new policy on https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret ? I didn't see any reference to it. You might wa...) . . +173
- (cur prev topic) 08:15, 9 December 2018 . . Tgr (talk | contribs) commented on "Password requirements" (The NIST guidelines (last updated in 2017) actually recommend 8 or more characters.) . . +169
- (cur prev topic) 17:44, 8 December 2018 . . NickK (talk | contribs) commented on "Is the top-100K password list really universal?" (Having looked through the list, it looks very Latin and probably American. There is no way the most popular Cyrillic passwords like "паро...) . . +1,251
- (cur prev topic) 08:58, 8 December 2018 . . KlaasZ4usV (talk | contribs) commented on "Password requirements" (One would be very naive to enter one's password there....) . . +57
- (cur prev topic) 08:50, 8 December 2018 . . KlaasZ4usV (talk | contribs) commented on "Extra user rights and definition of "character"" (Not true: are not words, but syllables. It's not so hard to remember a word of 8 syllables. There are numerous tools to save your passwor...) . . +328
- (cur prev topic) 07:40, 8 December 2018 . . Mukkakukaku (talk | contribs) commented on "Extra user rights and definition of "character"" (That kind of defeats the purpose of this feature then, doesn't it? If I get promoted, and my password is insufficient, then I can just sk...) . . +565
- (cur prev topic) 01:13, 8 December 2018 . . Johnuniq (talk | contribs) commented on "Password requirements" (Thanks, but no, that did not help. The problem is the bulleted text in the "Password requirements" section. That clearly states that a mi...) . . +451
- (cur prev topic) 19:35, 7 December 2018 . . TBolliger (WMF) (talk | contribs) commented on "Forced update?" (Hello Ivanvector, thanks for your questions. error message when a privileged user logs in with a short password 1) No. Those who have pas...) . . +1,023
- (cur prev topic) 18:51, 7 December 2018 . . CKoerner (WMF) (talk | contribs) commented on "Timeframe" (Leaving a note so folks don't think we're ignoring Tgr. :) Replies have been made on that task.) . . +95
- (cur prev topic) 17:22, 7 December 2018 . . Ivanvector (talk | contribs) commented on "Forced update?" (Neat interface you got here. Couple questions: 1) are all privileged users now required to choose a new password? Or only those who do no...) . . +413
- (cur prev topic) 16:52, 7 December 2018 . . TBolliger (WMF) (talk | contribs) commented on "Extra user rights and definition of "character"" (Yes, they can log-in and use all functionality. The next time they log-in they will see the same prompt and can skip it again.) . . +126
- (cur prev topic) 16:19, 7 December 2018 . . CKoerner (WMF) (talk | contribs) commented on "Password requirements" (Ah, apologies for the confusion. The requirements section does state for privileged accounts, "This is enforced the next time the user lo...) . . +223
- (cur prev topic) 16:15, 7 December 2018 . . Jdforrester (WMF) (talk | contribs) created topic summary on Will using its username as a password be allowed? . . +3
- (cur prev topic) 16:15, 7 December 2018 . . Jdforrester (WMF) (talk | contribs) marked the topic "Will using its username as a password be allowed?" as resolved (marked as resolved) . . 0
- (cur prev topic) 16:10, 7 December 2018 . . CKoerner (WMF) (talk | contribs) commented on "Will using its username as a password be allowed?" (That requirement remains and is detailed in the policy. This project covers the new additions.) . . +123
- (cur prev topic) 16:03, 7 December 2018 . . Krenair (talk | contribs) edited a post on "More potential privileged groups" . . -27
- (cur prev topic) 16:03, 7 December 2018 . . Krenair (talk | contribs) commented on "More potential privileged groups" (So we're still missing: Systems administrators Pathoschild's/global deleter Researchers) . . +94
- (cur prev topic) 15:57, 7 December 2018 . . CKoerner (WMF) (talk | contribs) commented on "More potential privileged groups" (Thanks for the suggestions. I've updated the list to be more clear on which accounts are included.) . . +98
- (cur prev topic) 15:00, 7 December 2018 . . Misibacsi (talk | contribs) commented on "Password requirements" (Please be aware that an 8-character password is considered as weak. It can be broken within 2 hours (if random enough). Go and try: https...) . . +345
- (cur prev topic) 13:27, 7 December 2018 . . AntonierCH (talk | contribs) commented on "Will using its username as a password be allowed?" (Hello, I might not have read properly, but it appears that the old criteria disallowing a user to set his username as password won't be k...) . . +165
- (cur prev topic) 02:51, 7 December 2018 . . Johnuniq (talk | contribs) commented on "Password requirements" (Yes it is in the list: that is my point. The current text does not say that the full password policy will be enforced when a privileged u...) . . +213
- (cur prev topic) 02:34, 7 December 2018 . . Mukkakukaku (talk | contribs) edited a post on "Extra user rights and definition of "character"" . . -97
- (cur prev topic) 02:34, 7 December 2018 . . Mukkakukaku (talk | contribs) commented on "Extra user rights and definition of "character"" (What happens if they skip? Do they then get the enhanced permissions but evade the improved password requirements? --Mukkakukaku (talk) 0...) . . +211
- (cur prev topic) 00:50, 7 December 2018 . . TBolliger (WMF) (talk | contribs) commented on "Extra user rights and definition of "character"" (Hello Nyttend! Good questions, thank you for asking. 1) This functionality already exists — the current minimum password length for a per...) . . +539
- (cur prev topic) 23:53, 6 December 2018 . . BMacZero (talk | contribs) commented on "Password requirements" (I imagine 1234567890 appears in the 100,000-password blacklist.) . . +63
- (cur prev topic) 23:46, 6 December 2018 . . Nyttend (talk | contribs) edited a post on "Extra user rights and definition of "character"" . . +2
- (cur prev topic) 23:44, 6 December 2018 . . Nyttend (talk | contribs) changed the topic title from "Extra user rights" to "Extra user rights and definition of "character"" . . +30
- (cur prev topic) 23:44, 6 December 2018 . . Nyttend (talk | contribs) commented on "Extra user rights and definition of "character"" (Two concerns: (1) How will you handle a situation in which a user with an 8- or 9-character password is given advanced rights? We can't r...) . . +678
- (cur prev topic) 23:17, 6 December 2018 . . Jdforrester (WMF) (talk | contribs) marked the topic "More groups?" as resolved (marked as resolved) . . 0
- (cur prev topic) 23:15, 6 December 2018 . . Gryllida (talk | contribs) commented on "Warn, not require? Remember previous RfC??" (I think there was a request for comment previously and the outcome was that enforcing any password strength is bad, instead a warning sho...) . . +524
