User:Tim Starling/Password matches

Just the facts for Slashdot readers:

  • The list that used to be here was created in July 2004. No similar list has been compiled since then. It used to list 109 accounts which shared the same password as those of known trolls and problem users.
  • The vast majority of the accounts listed had without any doubt been created by the same trolls or sock puppets under whose name they were listed.
  • No dictionary check had been performed against the password hashes. As such, it is possible that a very small number of legitimate accounts which share the passwords used by known trolls were listed. In this case, it is likely that the passwords were insecure to begin with, and susceptible to traditional dictionary attacks.
  • Wikipedia accounts contain no privacy-sensitive information aside from the e-mail address. To our knowledge, no account security had been compromised.

--Erik Möller, Chief Research Officer, Wikimedia Foundation. May 31, 2005.


Nonetheless, this list was at best borderline with respect to our privacy policy. I deleted it as soon as I was made aware it was still here (I'd been under the impression it had been deleted within hours of originally being posted, and no one has contacted me or the developers team about it that I'm aware of). If the site admins here on didn't remove it, that's a group failure and I'm rather disappointed.

--Brion Vibber, Chief Technical Officer, Wikimedia Foundation. 22:37, May 31, 2005 (UTC)


Note that MediaWiki has supported salted passwords for some time, though we hadn't initially enabled it for Wikipedia due to potential problems with transition to a future single-sign on system. With our current plans that's not an issue, and the hashes have been salted. It's no longer possible to do a mass password cross-check in the way the list formerly here was produced last year.

-- Brion 05:20, Jun 1, 2005 (UTC)