> > > Again, Just theatrical security, Most people tend to use the same > > passwords everywhere, if this was the case for said Sysop, Their email > > is also compromised. Also this would require wikis to have email > > sending setup, as well as the user to have confirmed theirs. > > > > That's the problem of user if they use same password, but I believe > that any users with any sense for security don't do that, sysops could > be instructed to use different password than in their email. > > >> This would be much simpler and it would actually make hacking > >> to sysop accounts much harder. > > > > Not really, per my point above. > > > > It would per my point above your point. >
The problem here is that it doesn't really discuss how a sysop account has been compromised; via the email account? Via some more direct method? As pointed out it is somewhat security theatre. Besides; you're looking for a problem to fit the solution. On English Wikipedia compromised accounts are, in themselves, rare occurrences. And compromised sysop accounts rarer (read; I've never seen one!). We discussed this at length when implementing the age-desysoping, and agreed it wasn't an entirely failsafe method against compromise. But it does provide a level of scrutiny to a returning sysop; and really that is all that is needed. The amount of damage a compromised sysop account could do isn't critical and they can be stopped relatively easily - if they have scrutiny. This is the best form of security. Tom _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
