Key based auth isn't easy to do over HTTP. And there have been talks about adding special password requirements, 2-factor auth, etc... for special user groups.
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/] On 13-03-06 11:17 AM, Petr Bena wrote: > It hurts because labs are not working very often. > > If you believe we desperately needs so great security why we didn't > forbid password authentication on wikipedia so far? What if some sysop > account or steward account get brute forced? That will be bigger > disaster than someone getting into labs... > > On Wed, Mar 6, 2013 at 8:15 PM, Jeremy Baron <[email protected]> wrote: >> On Wed, Mar 6, 2013 at 7:12 PM, Petr Bena <[email protected]> wrote: >>> Do you know that we are talking about labs and not production? I don't >>> want to look like some insecure-stuff loving guy - but why in the >>> world someone wanted to brute force into labs? >> Why invite them to? >> >>> If I was hacker and I >>> wanted to get into labs - I would just request an account and I would >>> get it... >> Also, some parts of labs may have different security needs than >> others. Brute forcing a password gets you access to what that user >> already has access to. Making a new account starts you out with almost >> no access. >> >>> Do we need some high tech security here? >> What does it hurt? >> >> _______________________________________________ >> Labs-l mailing list >> [email protected] >> https://lists.wikimedia.org/mailman/listinfo/labs-l > _______________________________________________ > Labs-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/labs-l _______________________________________________ Labs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/labs-l
