Why this Site?

  • Our Mission:
  • We exist to shine the light of scrutiny into the dark crevices of Wikipedia and its related projects; to examine the corruption there, along with its structural flaws; and to inoculate the unsuspecting public against the torrent of misinformation, defamation, and general nonsense that issues forth from one of the world’s most frequently visited websites, the “encyclopedia that anyone can edit.”
  • How you can participate:
  •  Visit the Wikipediocracy Forum, a candid exchange of views between Wikipedia editors, administrators, critics, proponents, and the general public.
  • 'Like' our Wikipediocracy page on Facebook.
  •  Follow Wikipediocracy on Twitter!

Press Releases

  • Please click here for recent Wikipediocracy press releases.

Wikipedia’s deep-seated insecurity

By ABC123

Something remarkable happened on Wikipedia on November 4 2015. Within minutes of each other, two Wikipedia administrator accounts posted messages on the bureaucrat’s noticeboard stating that the accounts had been compromised. The accounts were quickly blocked and the Wikipedia Arbitration Committee removed the admin rights from both accounts until those administrators could show that they were in control of the accounts. Not surprisingly, this incident started a lot of people talking about password security. Wikipedians are very good at talking about things but, as we shall see, very bad at actually doing anything.

How did that happen?
Many explanations for how this happened have been offered by Wikipedians talking out of their asses, but the person responsible laid it all out in their very first message: “Login details for millions of accounts from various data breaches have been readily available in the public domain for months now. … If you use the same password across multiple websites including Wikipedia, your account might have already been compromised”. The perpetrator actually provided details in a Reddit discussion. The password of admin Salvidrim! came from a data breach of the website Xsplit that had been shared on the internet. The password of admin OhanaUnited came from a data breach of a Runescape forum. These two admin accounts were chosen simply because they recognized them as admin accounts and they were using numbers as passwords.

my password is the same as my luggage combo

What’s wrong with using a number for a password? Well, they are very easy to crack using brute-force methods. You just have to keep adding 1 and trying again until you succeed. Why are Wikipedia admins using passwords that consist of nothing but numbers and likely to be cracked? Because they can. Why can they? Because no one at the Wikimedia Foundation (WMF) has ever taken password security seriously.

 

Déjà vu all over again
In May 2007, four admin accounts were compromised. Each of the accounts was used to delete the main page and perform other miscellaneous vandalism. After the dust settled, one of the WMF developers ran a password cracker against all admin passwords and forced weak passwords to be reset. A Signpost report from the time says “several editors have called for increased password security”. The report also notes that “in the near future” a feature will be added for “more automated password-strength checking at login / set-password / change-password time to reduce the danger of guessable passwords”.

After the 2007 incident, a policy on account security was proposed. That proposal never became a policy and is now just called “an information page”. It states that it is “especially important” that admins and other users with advanced permissions have “strong passwords”. It goes to note that “Although the definition of ‘strong password’ is deliberately left unspecified, privileged editors are required to use strong passwords and are informed that Wikimedia system administrators will occasionally try to crack their passwords and disable those that can be cracked”. So, according to this information page (which is not a policy), admins are required to have strong passwords (although what “strong passwords” means is left for the individual admin to figure out).

In July 2008, two admin accounts posted messages on the administrators noticeboard indicating that the accounts had been compromised. This event followed a conjecture on Wikipedia Review that the two admin accounts were controlled by the same person and shared a password. At least part of that seems to have been proven correct.

The Signpost‘s 2 August 2010 edition featured a brief section on password security in Wikipedia. Researchers from the University of Cambridge analyzed user password handling on 150 websites. Wikipedia was rated as 4 out of 10 for password security. According to the Signpost, the issues at that time were: “the password selection advice does not prohibit dictionary words, a minimum length (>1) is not required, the use of numbers or symbols in the password is not enforced, federated identity services are not supported (although a MediaWiki extension for OpenID exists), the user list is not protected from probing (the list is intentionally available), and TLS is normally not used to protect password submissions (the password is sent in cleartext when logging in. However, the secure server provides encrypted connections)”. Since then, all WMF projects have switched to HTTPS, so that last one is no longer an issue.

In May of 2011, an admin account that appeared to have been compromised had its admin rights removed. The account was subsequently blocked. This incident sparked some discussion of removing rights for dormant admin accounts and password security in general. That discussion quickly expanded into a proposal for various improvements to password security. On Meta, the site for discussing all WMF projects, there is a request for comment about passwords. The current version notes that it is an attempt to “merge and refactor of two older but closely related discussions” from 2010 and 2013.

If I wait, it will go away

So now that there’s been another admin password-related issue, it appears that it’s time to talk about it some more. This time, it’s called a “security review” and the proposals are much more specific. But it’s still just a request for comment.

War is over, if you want it
Back in 2011, editors agreed to the simple step of adding a “password strength” display when creating or changing passwords. This didn’t happen, perhaps because a group of Wikipedia editors have no ability to influence development priorities. The same recommendation will undoubtedly be made in the current “security review”, but to what end? There is nothing wrong with having more discussions about password security, but the opinions of Wikipedia editors aren’t really important. This is an issue of site security. A cleverly malicious person with access to an admin account could cause damage which would likely require developer involvement to put right. This isn’t something that the Community should vote on. It is something that the Wikimedia Foundation needs to do if it wants to protect its projects and the people who volunteer on those projects.

The WMF already knows what needs to be done. They commissioned a report on the vulnerabilities of MediaWiki in December 2014. One of the recommendations is enforcing a strong password policy. Adopting this policy for all active admins and removing the rights of all inactive admin seem like no-brainers. Or, you could let your users discuss it and wait for the next admin account to be compromised.

3 comments to Wikipedia’s deep-seated insecurity

  • Ross McPherson

    Open Sesame.

  • Eagle

    Thank you for a good blog post. The fact that Wikipedia administrators have ignored years of sound advice regarding password strength is indicative of an unacceptable level of arrogance.

    The structure and administration of Wikipedia is not ready for prime time. This is one of the most visited sites on the internet and millions of people rely upon it. Yet, its content and integrity is so poorly monitored and left weakly protected.

  • Blythwood

    Fundamentally, it’s important that people see Wikipedia as a social network. Like all social networks, you may have posts on there that you wish not to have associated with your name, and you should take seriously the possibility that its security could be breached. (Unlike Facebook, you can’t easily delete your contributions.) To my mind not just password but email address is a major risk – I think anyone considering becoming a controversial Wikipedia editor should change their email address to one not easily associatable with them which they don’t use for other purposes. I have done this recently. I think also people should consider a reverse scenario, in which someone who wishes to damage you first accesses your email, stumbles on your Wikipedia account, and then starts to investigate your contributions history for anything that could be embarassing. (Obviously many Wikipedia contributors may be identifiable in the event of a large hack through IP addresses since Wikipedia blocks many VPN providers, but putting this together could be harder.) Then consider enabling two-factor authentication on that account.

    Personally, I don’t put my real name on Wikipedia more because of a generally reserved personality than because I think anything I’ve said on it could embarrass me. But I think people should be very careful with what facts about them are stored on Wikipedia’s database and what a future employer, lover or mortgage broker could conclude about you reading through your post history.