I know it's been said many times, but two-factor authentication, mandatory
for accounts with advanced privileges and optionally available for everyone
else, would seem to be a logical step.  It's not foolproof, but it would go
a long way to making us less of a soft target.


On 12 November 2016 at 22:22, Fæ <fae...@gmail.com> wrote:

> Do any of the volunteers contributing to this list have ideas for
> changes that may make a significant difference to security?
> Yesterday saw Jimmy Wales' Wikipedia account getting hacked, in the
> process appearing to promote an organisation.[1] It was not the only
> account compromised. This is being analysed, though as there are
> security issues being examined, the analysis has not been made public
> so far; plus it's the weekend :-)
> Over the last few years, there have improvements on account set-up and
> choice of passwords, along with user suggestions for better account
> management. Users can also chose to use committed identities[2] to
> make account recovery easier, and are encouraged to use more secure
> passwords. Two-factor authentication,[3] such as using mobile phone
> text messages, has been suggested a few times by volunteers, and this
> might be a good moment to encourage the WMF to have better facilities
> built into the projects. We could even make two-factor identification
> a requirement for trusted users, such as administrators, important
> bots, and "high profile" accounts, where they may have special rights
> that could cause a fair amount of disruption if a hacked account were
> not identified quickly. Considering that some administrator accounts
> can lie dormant for many months without the actual user monitoring it,
> these could end up being far more disruptive than well-watched
> accounts like Jimmy's.
> We may want extra security to remain mostly optional, keeping our
> projects simple to access. Education of new volunteers and trusted
> users may be critical for making it effective, such as avoiding social
> hacking. A clearer understanding of what the community would want to
> see improved would probably help set development priorities.
> Links
> 1. https://en.wikipedia.org/wiki/User_talk:Jimbo_Wales#Compromised
> 2. https://en.wikipedia.org/wiki/Template:Committed_identity
> 3. https://en.wikipedia.org/wiki/Multi-factor_authentication
> Thanks,
> Fae
> --
> fae...@gmail.com https://commons.wikimedia.org/wiki/User:Fae
> _______________________________________________
> Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/
> wiki/Mailing_lists/Guidelines
> New messages to: Wikimedia-l@lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe>
Wikimedia-l mailing list, guidelines at: 
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Reply via email to