My staff email is boring. You're more than welcome to break in. -Chad On Aug 7, 2014 7:27 PM, "Pine W" <[email protected]> wrote:
> There are "good" reasons people would target checkuser accounts, WMF staff > email accounts, and other accounts that have access to lots of private info > like functionary email accounts and accounts with access to restricted IRC > channels. > > Pine > > > On Thu, Aug 7, 2014 at 11:21 AM, Ryan Lane <[email protected]> wrote: > > > On Thu, Aug 7, 2014 at 6:58 AM, Casey Brown <[email protected]> > wrote: > > > > > On Thu, Aug 7, 2014 at 8:10 AM, Risker <[email protected]> wrote: > > > > A lot of the "solutions" normally bandied about involve things like > > > > two-factor identification, which has the "additional" password coming > > > > through a separate route (e.g., gmail two-factor ID sends a second > > > password > > > > as a text to a mobile) and means having more expensive technology) or > > > using > > > > technology like dongles that cannot be sent to users in certain > > > countries. > > > > > > Actually, most modern internet implementations use the TOTP algorithm > > > open standard that anyone can use for free. > > > <https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm> > > > One of the most common methods, other than through text messages, is > > > the Google Authenticator App that anyone can download for free on a > > > smart phone. <https://en.wikipedia.org/wiki/Google_Authenticator>. > > > > > > > > Yep. This. It's already being used for high-risk accounts on > > wikitech.wikimedia.org. It's not in good enough shape to be used > anywhere > > else, since if you lose your device you'd lose your account. Supporting > two > > factor auth also requires supporting multiple ways to rescue your account > > if you lose your device (and don't write down your scratch tokens, which > is > > common). Getting this flow to work in a way that actually adds any > security > > benefit is difficult. See the amount of effort Google has gone through > for > > this. > > > > Let's be a little real here, though. There's honestly no good reason to > > target these accounts. There's basically no major damage they can do and > > there's very little private information accessible to them, so attackers > > don't really care enough to attack them. > > > > We should take basic account security seriously, but we shouldn't go > > overboard. > > > > - Ryan > > _______________________________________________ > > Wikitech-l mailing list > > [email protected] > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
