+1 to what Craig wrote: two-factor authentication, with a key stored in an authenticator application (which eliminates the problem of revealing the phone number), would definitely be a great thing - and we could make it opt-in, except for higher level functionaries.
best, dariusz On Sat, Nov 12, 2016 at 7:27 AM, Craig Franklin <cfrank...@halonetwork.net> wrote: > I know it's been said many times, but two-factor authentication, mandatory > for accounts with advanced privileges and optionally available for everyone > else, would seem to be a logical step. It's not foolproof, but it would go > a long way to making us less of a soft target. > > Cheers, > Craig > > On 12 November 2016 at 22:22, Fæ <fae...@gmail.com> wrote: > > > Do any of the volunteers contributing to this list have ideas for > > changes that may make a significant difference to security? > > > > Yesterday saw Jimmy Wales' Wikipedia account getting hacked, in the > > process appearing to promote an organisation.[1] It was not the only > > account compromised. This is being analysed, though as there are > > security issues being examined, the analysis has not been made public > > so far; plus it's the weekend :-) > > > > Over the last few years, there have improvements on account set-up and > > choice of passwords, along with user suggestions for better account > > management. Users can also chose to use committed identities[2] to > > make account recovery easier, and are encouraged to use more secure > > passwords. Two-factor authentication,[3] such as using mobile phone > > text messages, has been suggested a few times by volunteers, and this > > might be a good moment to encourage the WMF to have better facilities > > built into the projects. We could even make two-factor identification > > a requirement for trusted users, such as administrators, important > > bots, and "high profile" accounts, where they may have special rights > > that could cause a fair amount of disruption if a hacked account were > > not identified quickly. Considering that some administrator accounts > > can lie dormant for many months without the actual user monitoring it, > > these could end up being far more disruptive than well-watched > > accounts like Jimmy's. > > > > We may want extra security to remain mostly optional, keeping our > > projects simple to access. Education of new volunteers and trusted > > users may be critical for making it effective, such as avoiding social > > hacking. A clearer understanding of what the community would want to > > see improved would probably help set development priorities. > > > > Links > > 1. https://en.wikipedia.org/wiki/User_talk:Jimbo_Wales#Compromised > > 2. https://en.wikipedia.org/wiki/Template:Committed_identity > > 3. https://en.wikipedia.org/wiki/Multi-factor_authentication > > > > Thanks, > > Fae > > -- > > fae...@gmail.com https://commons.wikimedia.org/wiki/User:Fae > > > > _______________________________________________ > > Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ > > wiki/Mailing_lists/Guidelines > > New messages to: Wikimedia-l@lists.wikimedia.org > > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, > > <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> > _______________________________________________ > Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ > wiki/Mailing_lists/Guidelines > New messages to: Wikimedia-l@lists.wikimedia.org > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, > <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> > -- __________________________ prof. dr hab. Dariusz Jemielniak kierownik katedry Zarządzania Międzynarodowego i grupy badawczej NeRDS Akademia Leona Koźmińskiego http://n <http://www.crow.alk.edu.pl/>wrds.kozminski.edu.pl członek Akademii Młodych Uczonych Polskiej Akademii Nauk Wyszła pierwsza na świecie etnografia Wikipedii "Common Knowledge? An Ethnography of Wikipedia" (2014, Stanford University Press) mojego autorstwa http://www.sup.org/book.cgi?id=24010 Recenzje Forbes: http://www.forbes.com/fdc/welcome_mjx.shtml Pacific Standard: http://www.psmag.com/navigation/books-and-culture/killed-wikipedia-93777/ Motherboard: http://motherboard.vice.com/read/an-ethnography-of-wikipedia The Wikipedian: http://thewikipedian.net/2014/10/10/dariusz-jemielniak-common-knowledge _______________________________________________ Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe>