Something remarkable happened on Wikipedia on November 4 2015. Within minutes of each other, two Wikipedia administrator accounts posted messages on the bureaucrat’s noticeboard stating that the accounts had been compromised. The accounts were quickly blocked and the Wikipedia Arbitration Committee removed the admin rights from both accounts until those administrators could show that they were in control of the accounts. Not surprisingly, this incident started a lot of people talking about password security. Wikipedians are very good at talking about things but, as we shall see, very bad at actually doing anything.
How did that happen?
Many explanations for how this happened have been offered by Wikipedians talking out of their asses, but the person responsible laid it all out in their very first message: “Login details for millions of accounts from various data breaches have been readily available in the public domain for months now. … If you use the same password across multiple websites including Wikipedia, your account might have already been compromised”. The perpetrator actually provided details in a Reddit discussion. The password of admin Salvidrim! came from a data breach of the website Xsplit that had been shared on the internet. The password of admin OhanaUnited came from a data breach of a Runescape forum. These two admin accounts were chosen simply because they recognized them as admin accounts and they were using numbers as passwords.
What’s wrong with using a number for a password? Well, they are very easy to crack using brute-force methods. You just have to keep adding 1 and trying again until you succeed. Why are Wikipedia admins using passwords that consist of nothing but numbers and likely to be cracked? Because they can. Why can they? Because no one at the Wikimedia Foundation (WMF) has ever taken password security seriously.
Déjà vu all over again
In May 2007, four admin accounts were compromised. Each of the accounts was used to delete the main page and perform other miscellaneous vandalism. After the dust settled, one of the WMF developers ran a password cracker against all admin passwords and forced weak passwords to be reset. A Signpost report from the time says “several editors have called for increased password security”. The report also notes that “in the near future” a feature will be added for “more automated password-strength checking at login / set-password / change-password time to reduce the danger of guessable passwords”.
After the 2007 incident, a policy on account security was proposed. That proposal never became a policy and is now just called “an information page”. It states that it is “especially important” that admins and other users with advanced permissions have “strong passwords”. It goes to note that “Although the definition of ‘strong password’ is deliberately left unspecified, privileged editors are required to use strong passwords and are informed that Wikimedia system administrators will occasionally try to crack their passwords and disable those that can be cracked”. So, according to this information page (which is not a policy), admins are required to have strong passwords (although what “strong passwords” means is left for the individual admin to figure out).
In July 2008, two admin accounts posted messages on the administrators noticeboard indicating that the accounts had been compromised. This event followed a conjecture on Wikipedia Review that the two admin accounts were controlled by the same person and shared a password. At least part of that seems to have been proven correct.
The Signpost‘s 2 August 2010 edition featured a brief section on password security in Wikipedia. Researchers from the University of Cambridge analyzed user password handling on 150 websites. Wikipedia was rated as 4 out of 10 for password security. According to the Signpost, the issues at that time were: “the password selection advice does not prohibit dictionary words, a minimum length (>1) is not required, the use of numbers or symbols in the password is not enforced, federated identity services are not supported (although a MediaWiki extension for OpenID exists), the user list is not protected from probing (the list is intentionally available), and TLS is normally not used to protect password submissions (the password is sent in cleartext when logging in. However, the secure server provides encrypted connections)”. Since then, all WMF projects have switched to HTTPS, so that last one is no longer an issue.
In May of 2011, an admin account that appeared to have been compromised had its admin rights removed. The account was subsequently blocked. This incident sparked some discussion of removing rights for dormant admin accounts and password security in general. That discussion quickly expanded into a proposal for various improvements to password security. On Meta, the site for discussing all WMF projects, there is a request for comment about passwords. The current version notes that it is an attempt to “merge and refactor of two older but closely related discussions” from 2010 and 2013.
So now that there’s been another admin password-related issue, it appears that it’s time to talk about it some more. This time, it’s called a “security review” and the proposals are much more specific. But it’s still just a request for comment.
War is over, if you want it
Back in 2011, editors agreed to the simple step of adding a “password strength” display when creating or changing passwords. This didn’t happen, perhaps because a group of Wikipedia editors have no ability to influence development priorities. The same recommendation will undoubtedly be made in the current “security review”, but to what end? There is nothing wrong with having more discussions about password security, but the opinions of Wikipedia editors aren’t really important. This is an issue of site security. A cleverly malicious person with access to an admin account could cause damage which would likely require developer involvement to put right. This isn’t something that the Community should vote on. It is something that the Wikimedia Foundation needs to do if it wants to protect its projects and the people who volunteer on those projects.
The WMF already knows what needs to be done. They commissioned a report on the vulnerabilities of MediaWiki in December 2014. One of the recommendations is enforcing a strong password policy. Adopting this policy for all active admins and removing the rights of all inactive admin seem like no-brainers. Or, you could let your users discuss it and wait for the next admin account to be compromised.