Ya, well
I was a good girl and I did as I was told to do.
Now... I changed my password to a VERY simple one so that it takes less
time to relogin each time.
And most of my edits are anonymous... which creates a problem to me
because I keep being asked to fill up the captcha thing and of course I
miss all the nice user features... but it also creates a problem to my
peers who have to keep a watch on my anonymous edits.
So, I do not know what is the extent of the current security issue, but
I tell you that from a user perspective, the 2 factor authentification
system is absolutely not ok :)
I do not know how many people switched and I dunno if all meet the same
problem than I.
If others are facing the same consequences... I believe you should stop
to push people to implement the 2 steps.
If I am alone in this situation.... please someone remove the 2 factors
identification system from my account. Please. Please.
Anthere
Le 21/11/2016 à 11:15, John Mark Vandenberg a écrit :
Ya, this is why I haven't done it.
Also, I should be able to set it up such that TFA is not necessary
until my account attempts to do an admin action.
On Mon, Nov 21, 2016 at 4:37 PM, Florence Devouard <[email protected]> wrote:
Hello
I had the super bad idea of implementing the two-factor authentication and
now I need help :)
The system is not "recording" me as registered. Which means that I am
disconnected every once in a while. Roughly every 15 minutes... and every
time I change project (from Wikipedia to Commons etc.)
Which means that every 15 minutes, I need to relogin... retype login and
password... grab my phone... wake it up... launch the app... get the
number... enter it... validate... OK, good to go for 15 minutes...
So... how do I fix that ?
Thanks
Florence
Le 16/11/2016 à 10:57, Tim Starling a écrit :
Since Friday, we've had a slow but steady stream of admin account
compromises on WMF projects. The hacker group OurMine has taken credit
for these compromises.
We're fairly sure now that their mode of operation involves searching
for target admins in previous user/password dumps published by other
hackers, such as the 2013 Adobe hack. They're not doing an online
brute force attack against WMF. For each target, they try one or two
passwords, and if those don't work, they go on to the next target.
Their success rate is maybe 10%.
When they compromise an account, they usually do a main page
defacement or similar, get blocked, and then move on to the next target.
Today, they compromised the account of a www.mediawiki.org admin, did
a main page defacement there, and then (presumably) used the same
password to log in to Gerrit. They took a screenshot, sent it to us,
but took no other action.
So, I don't think they are truly malicious -- I think they are doing
it for fun, fame, perhaps also for their stated goal of bringing
attention to poor password security.
Indications are that they are familiarising themselves with MediaWiki
and with our community. They probably plan on continuing to do this
for some time.
We're doing what we can to slow them down, but admins and other users
with privileged access also need to take some responsibility for the
security of their accounts. Specifically:
* If you're an admin, please enable two-factor authentication.
<https://meta.wikimedia.org/wiki/H:2FA>
* Please change your password, if you haven't already changed it in
the last week. Use a new password that is not used on any other site.
* Please do not share passwords across different WMF services, for
example, between the wikis and Gerrit.
(Cross-posted to wikitech-l and wikimedia-l, please copy/link
elsewhere as appropriate.)
-- Tim Starling
_______________________________________________
Wikitech-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
