The Signpost

Technology report

Bugs, Repairs, and Internal Operational News

Plans to improve password security

Head developer Tim Starling has proposed an upgrade of the way the MediaWiki software (and hence Wikimedia sites) encrypts ("hashes") passwords (wikitech-l mailing list). He outlined concerns that if someone could acquire an encrypted password from the database, they could decrypt it and log in as that user within 20 minutes, with no special hardware. Highlighting this issue, he requested that any new system be:

Tim Starling suggested that the "Whirlpool" hash be incorporated as a way of achieving this. The result was a general consensus that the proposed scheme was better than the current process, with a wide-ranging discussion of what might be even better. User:Simetrical played down the threat, arguing that "Hackers go after money, and there's no money in hacking Wikipedia. We have nothing secret or valuable that's not already readily available".

Concerning client-side improvements in password security, a JavaScript-based password complexity checker has recently been written (rev:70520), prompted by the remarks of a security researcher quoted in the Technology Report earlier this month (Study of web passwords includes Wikipedia).

See also earlier Signpost coverage about password security on Wikipedia: Four administrator accounts desysopped after hijacking, vandalism, Administrator status restored to five accounts after emergency desysopping (about a 2007 incident which led to some changes in MediaWiki and the start of the page Wikipedia:Security), Blank passwords eliminated for security reasons (2006), Password security upgraded after Slashdot furor (2005, about an incident after which salted passwords were introduced).


Google Summer of Code: Brian Wolff

We begin a series of articles about this year's Google Summer of Code (GSoC) with student Brian Wolff (User:Bawolff), who describes his project to improve MediaWiki's image metadata support:


Once finished and rounded off, the new code could easily be merged into the MediaWiki base, improving functionality for all new MediaWiki installations and upgrades, including Wikimedia sites. Metadata can also help volunteers to spot low-level image copyright infringement.

In brief

Not all fixes may have gone live to WMF sites at the time of writing; some may not be scheduled to go live for many weeks.


















Wikipedia:Wikipedia Signpost/2010-08-23/Technology_report