There are "good" reasons people would target checkuser accounts, WMF staff email accounts, and other accounts that have access to lots of private info like functionary email accounts and accounts with access to restricted IRC channels.
Pine On Thu, Aug 7, 2014 at 11:21 AM, Ryan Lane <rlan...@gmail.com> wrote: > On Thu, Aug 7, 2014 at 6:58 AM, Casey Brown <li...@caseybrown.org> wrote: > > > On Thu, Aug 7, 2014 at 8:10 AM, Risker <risker...@gmail.com> wrote: > > > A lot of the "solutions" normally bandied about involve things like > > > two-factor identification, which has the "additional" password coming > > > through a separate route (e.g., gmail two-factor ID sends a second > > password > > > as a text to a mobile) and means having more expensive technology) or > > using > > > technology like dongles that cannot be sent to users in certain > > countries. > > > > Actually, most modern internet implementations use the TOTP algorithm > > open standard that anyone can use for free. > > <https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm> > > One of the most common methods, other than through text messages, is > > the Google Authenticator App that anyone can download for free on a > > smart phone. <https://en.wikipedia.org/wiki/Google_Authenticator>. > > > > > Yep. This. It's already being used for high-risk accounts on > wikitech.wikimedia.org. It's not in good enough shape to be used anywhere > else, since if you lose your device you'd lose your account. Supporting two > factor auth also requires supporting multiple ways to rescue your account > if you lose your device (and don't write down your scratch tokens, which is > common). Getting this flow to work in a way that actually adds any security > benefit is difficult. See the amount of effort Google has gone through for > this. > > Let's be a little real here, though. There's honestly no good reason to > target these accounts. There's basically no major damage they can do and > there's very little private information accessible to them, so attackers > don't really care enough to attack them. > > We should take basic account security seriously, but we shouldn't go > overboard. > > - Ryan > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
