I know it's been said many times, but two-factor authentication, mandatory for accounts with advanced privileges and optionally available for everyone else, would seem to be a logical step. It's not foolproof, but it would go a long way to making us less of a soft target.
Cheers, Craig On 12 November 2016 at 22:22, Fæ <fae...@gmail.com> wrote: > Do any of the volunteers contributing to this list have ideas for > changes that may make a significant difference to security? > > Yesterday saw Jimmy Wales' Wikipedia account getting hacked, in the > process appearing to promote an organisation. It was not the only > account compromised. This is being analysed, though as there are > security issues being examined, the analysis has not been made public > so far; plus it's the weekend :-) > > Over the last few years, there have improvements on account set-up and > choice of passwords, along with user suggestions for better account > management. Users can also chose to use committed identities to > make account recovery easier, and are encouraged to use more secure > passwords. Two-factor authentication, such as using mobile phone > text messages, has been suggested a few times by volunteers, and this > might be a good moment to encourage the WMF to have better facilities > built into the projects. We could even make two-factor identification > a requirement for trusted users, such as administrators, important > bots, and "high profile" accounts, where they may have special rights > that could cause a fair amount of disruption if a hacked account were > not identified quickly. Considering that some administrator accounts > can lie dormant for many months without the actual user monitoring it, > these could end up being far more disruptive than well-watched > accounts like Jimmy's. > > We may want extra security to remain mostly optional, keeping our > projects simple to access. Education of new volunteers and trusted > users may be critical for making it effective, such as avoiding social > hacking. A clearer understanding of what the community would want to > see improved would probably help set development priorities. > > Links > 1. https://en.wikipedia.org/wiki/User_talk:Jimbo_Wales#Compromised > 2. https://en.wikipedia.org/wiki/Template:Committed_identity > 3. https://en.wikipedia.org/wiki/Multi-factor_authentication > > Thanks, > Fae > -- > fae...@gmail.com https://commons.wikimedia.org/wiki/User:Fae > > _______________________________________________ > Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ > wiki/Mailing_lists/Guidelines > New messages to: Wikimediaemail@example.com > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, > <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> _______________________________________________ Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines New messages to: Wikimediafirstname.lastname@example.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe>