On 08/07/2014 09:58 AM, Casey Brown wrote:
One of the most common methods, other than through text messages, is
the Google Authenticator App that anyone can download for free on a
smart phone. https://en.wikipedia.org/wiki/Google_Authenticator.
There are also open source versions of this
: Re: [Wikitech-l] News about stolen Internet credentials;
reducing Wikimedia reliance on usernames and passwords
On Wed, 6 Aug 2014, at 21:49, Andre Klapper wrote:
On Tue, 2014-08-05 at 22:05 -0700, Pine W wrote:
After reading this [1] I am wondering if Wikimedia should start taking
On Aug 6, 2014 8:57 AM, svetlana svetl...@fastmail.com.au wrote:
On Wed, 6 Aug 2014, at 21:49, Andre Klapper wrote:
On Tue, 2014-08-05 at 22:05 -0700, Pine W wrote:
After reading this [1] I am wondering if Wikimedia should start taking
steps to reduce reliance on usernames and passwords.
I think we should start looking at alternative authentication systems
especially for high risk accounts. There are several variations on the
theme of one-time passwords that I think could bd explored.
Pine
On Aug 6, 2014 11:05 PM, Brian Wolff bawo...@gmail.com wrote:
On Aug 6, 2014 8:57 AM,
As someone with one of those high risk accounts, one time passwords would
be more likely to make me drop those permissions. Any administrator has a
high risk account given the opportunities that they have.
Risker/Anne
On 7 August 2014 07:59, Pine W wiki.p...@gmail.com wrote:
I think we
Do you have anything specific in mind? Hard to say how feasible
something is/evaluate without being more specific.
Most non-password alternatives that I can think of (e.g. Having public
private key pairs or something) have the problem that they can't
really be integrated well enough into a web
On Thu, Aug 7, 2014 at 9:49 AM, Risker risker...@gmail.com wrote:
As someone with one of those high risk accounts, one time passwords would
be more likely to make me drop those permissions. Any administrator has a
high risk account given the opportunities that they have.
Risker/Anne
+1.
On Thursday, August 7, 2014, Brian Wolff bawo...@gmail.com wrote:
Do you have anything specific in mind? Hard to say how feasible
something is/evaluate without being more specific.
Most non-password alternatives that I can think of (e.g. Having public
private key pairs or something) have the
On Thu, 7 Aug 2014, at 19:50, Martijn Hoekstra wrote:
On Thursday, August 7, 2014, Brian Wolff bawo...@gmail.com wrote:
Do you have anything specific in mind? Hard to say how feasible
something is/evaluate without being more specific.
Most non-password alternatives that I can think of
I've long wondered about that. Are there really no browser based public key
based solutions? Are there any fundamental reasons why that is like that
other than that it never got implemented, or never became popular?
It seems like the right solution for the password problem.
-Martijn
I
On 7 August 2014 10:49, Chad innocentkil...@gmail.com wrote:
On Thu, Aug 7, 2014 at 9:49 AM, Risker risker...@gmail.com wrote:
As someone with one of those high risk accounts, one time passwords
would
be more likely to make me drop those permissions. Any administrator has
a
high risk
On Aug 7, 2014, at 6:01, Brian Wolff bawo...@gmail.com wrote:
I've long wondered about that. Are there really no browser based public key
based solutions? Are there any fundamental reasons why that is like that
other than that it never got implemented, or never became popular?
It seems
Hm... and I am a lazy hacker, so now when you told us your password,
could you please give me your username as well so that I don't have to
search it? Thanks! :P
On Thu, Aug 7, 2014 at 11:49 AM, Chad innocentkil...@gmail.com wrote:
I'm lazy and wouldn't want the burden of remembering more
than
nevermind, I just figured out that I can edit almost anything on
wikipedia even without password... what a hacker am I!
BTW: those with high-risk accounts should use strong passwords, which
could be very safe at some point. I once suggested some security
enhancements that wouldn't impact users at
Oh I have no problem with regular forced password changes, say quarterly or
so; I'm used to that in other contexts. But not a one-time password, which
will actually increase risk because people will choose keep me logged in
to avoid having to get a new password every time they want to log
On 7 August 2014 12:04, Brian Wolff bawo...@gmail.com wrote:
Oh I have no problem with regular forced password changes, say quarterly
or
so; I'm used to that in other contexts. But not a one-time password,
which
will actually increase risk because people will choose keep me logged
in
...@lists.wikimedia.org
[mailto:wikitech-l-boun...@lists.wikimedia.org] Im Auftrag von Risker
Gesendet: Donnerstag, 7. August 2014 10:50
An: Wikimedia developers
Betreff: Re: [Wikitech-l] News about stolen Internet credentials; reducing
Wikimedia reliance on usernames and passwords
As someone
On Thu, Aug 7, 2014 at 6:01 AM, Brian Wolff bawo...@gmail.com wrote:
I think TLS has a feature where the client can also provide a
certificate, in order to use certificates to authenticate users. I've
never heard of a site actually using it.
Indeed.
On Thu, Aug 7, 2014 at 8:10 AM, Risker risker...@gmail.com wrote:
A lot of the solutions normally bandied about involve things like
two-factor identification, which has the additional password coming
through a separate route (e.g., gmail two-factor ID sends a second password
as a text to a
On Thu, Aug 7, 2014 at 6:58 AM, Casey Brown li...@caseybrown.org wrote:
On Thu, Aug 7, 2014 at 8:10 AM, Risker risker...@gmail.com wrote:
A lot of the solutions normally bandied about involve things like
two-factor identification, which has the additional password coming
through a
There are good reasons people would target checkuser accounts, WMF staff
email accounts, and other accounts that have access to lots of private info
like functionary email accounts and accounts with access to restricted IRC
channels.
Pine
On Thu, Aug 7, 2014 at 11:21 AM, Ryan Lane
On Thu, Aug 7, 2014 at 11:27 AM, Pine W wiki.p...@gmail.com wrote:
There are good reasons people would target checkuser accounts, WMF staff
email accounts, and other accounts that have access to lots of private info
like functionary email accounts and accounts with access to restricted IRC
There are sensitive communications over IRC such as harassment
investigations, although hopefully not to the degree that sensitive info
goes over email. I use what is advertised as a secure method of accessing
IRC, but that is still probably much weaker than end-to-end email
encryption. We could
My staff email is boring. You're more than welcome to break in.
-Chad
On Aug 7, 2014 7:27 PM, Pine W wiki.p...@gmail.com wrote:
There are good reasons people would target checkuser accounts, WMF staff
email accounts, and other accounts that have access to lots of private info
like functionary
Internet credentials; reducing
Wikimedia reliance on usernames and passwords
On Wed, 6 Aug 2014, at 21:49, Andre Klapper wrote:
On Tue, 2014-08-05 at 22:05 -0700, Pine W wrote:
After reading this [1] I am wondering if Wikimedia should start taking
steps to reduce reliance on usernames
On Tue, 2014-08-05 at 22:05 -0700, Pine W wrote:
After reading this [1] I am wondering if Wikimedia should start taking
steps to reduce reliance on usernames and passwords.
What steps do you refer to, or is this intentionally vague?
Disallowing usernames and logins?
Two-step
On Wed, 6 Aug 2014, at 21:49, Andre Klapper wrote:
On Tue, 2014-08-05 at 22:05 -0700, Pine W wrote:
After reading this [1] I am wondering if Wikimedia should start taking
steps to reduce reliance on usernames and passwords.
What steps do you refer to, or is this intentionally vague?
0x405D34A7C86B42DF
From: svetlana svetl...@fastmail.com.au
Reply: Wikimedia developers wikitech-l@lists.wikimedia.org
Date: August 6, 2014 at 7:57:12
To: wikitech-l@lists.wikimedia.org wikitech-l@lists.wikimedia.org
Subject: Re: [Wikitech-l] News about stolen Internet credentials; reducing
Wikimedia
After reading this [1] I am wondering if Wikimedia should start taking
steps to reduce reliance on usernames and passwords. This issue is relevant
to WMF and thematic organization staff email accounts, on-wiki accounts
especially those with CU/OS and Arbcom roles, and other sensitive Wikimedia
29 matches
Mail list logo