> On Thu, Jul 23, 2009 at 1:37 PM, Tim Starling<tstarling <at> wikimedia.org> wrote: > > They would only have to get the site usernames to decrypt the login > info. They could get those the next time each user logs in, if > they're not detected immediately. There's no way around this; if your > program can log in as the users, so can an attacker who's able to > subvert your program.
Wouldn't adding a salt fix this? They would have to have both the username, the database, and the salt value to decrypt the wiki list. > > I would suggest you apply for a toolserver account: > > https://wiki.toolserver.org/view/Account_approval_process > > Once you have a toolserver account, I'd be willing to work with you to > arrange for some form of direct access to all wikis' watchlist tables > (I'm a toolserver root). You then wouldn't need to possess any login > info. > I attempted to apply for a toolserver account, but it appears that the server at http://toolserver.org/accountrequest is down (as of 1:27pm CDT). ~Cody _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l