On Wed, Apr 4, 2012 at 10:19 AM, K. Peachey <p858sn...@gmail.com> wrote: > On Wed, Apr 4, 2012 at 5:43 PM, Petr Bena <benap...@gmail.com> wrote: >> I have seen there is a lot of wikis where people are concerned about >> inactive sysops. They managed to set up a strange rule where sysop >> rights are removed from inactive users to improve the security. >> However the sysops are allowed to request the flag to be restored >> anytime. This doesn't improve security even a bit as long as hacker >> who would get to some of inactive accounts could just post a request >> and get the sysop rights just as if they hacked to active user. > > Not all wikis blindly give the user their rights back when they do > this "theatrical" based security model. > >> For this reason I think we should create a new extension auto sysop >> removal, which would remove the flag from all users who didn't login >> to system for some time, > > There is already one that does this from memory (Without checking, E:LandLord) > > >> and if they logged back, the confirmation >> code would be sent to email, so that they could reactivate the sysop >> account. > > Again, Just theatrical security, Most people tend to use the same > passwords everywhere, if this was the case for said Sysop, Their email > is also compromised. Also this would require wikis to have email > sending setup, as well as the user to have confirmed theirs. >
That's the problem of user if they use same password, but I believe that any users with any sense for security don't do that, sysops could be instructed to use different password than in their email. >> This would be much simpler and it would actually make hacking >> to sysop accounts much harder. > > Not really, per my point above. > It would per my point above your point. > On Wed, Apr 4, 2012 at 5:54 PM, Petr Bena <benap...@gmail.com> wrote: >> The target user should be notified according to their personal config >> (They could specify if they want to be warned if someone is about to >> compromise their account or not) > > Pointless user prefernce IMHO, we should just send them (for wikis > that have email setup) and probably inculde a note along the lines of > "You should consider making sure your password is secure, some handy > hints areā¦" > What is pointless on that, I believe many users would like to be informed that they are target of some hacker. Even providing information to identify them (to checkuser for example) like ip address, would be usefull to eliminate them somehow. If they don't like it, they can turn it off. _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
