Ya, this is why I haven't done it. Also, I should be able to set it up such that TFA is not necessary until my account attempts to do an admin action.
On Mon, Nov 21, 2016 at 4:37 PM, Florence Devouard <fdevou...@gmail.com> wrote: > Hello > > I had the super bad idea of implementing the two-factor authentication and > now I need help :) > > The system is not "recording" me as registered. Which means that I am > disconnected every once in a while. Roughly every 15 minutes... and every > time I change project (from Wikipedia to Commons etc.) > > Which means that every 15 minutes, I need to relogin... retype login and > password... grab my phone... wake it up... launch the app... get the > number... enter it... validate... OK, good to go for 15 minutes... > > So... how do I fix that ? > > Thanks > > Florence > > > Le 16/11/2016 à 10:57, Tim Starling a écrit : >> >> Since Friday, we've had a slow but steady stream of admin account >> compromises on WMF projects. The hacker group OurMine has taken credit >> for these compromises. >> >> We're fairly sure now that their mode of operation involves searching >> for target admins in previous user/password dumps published by other >> hackers, such as the 2013 Adobe hack. They're not doing an online >> brute force attack against WMF. For each target, they try one or two >> passwords, and if those don't work, they go on to the next target. >> Their success rate is maybe 10%. >> >> When they compromise an account, they usually do a main page >> defacement or similar, get blocked, and then move on to the next target. >> >> Today, they compromised the account of a www.mediawiki.org admin, did >> a main page defacement there, and then (presumably) used the same >> password to log in to Gerrit. They took a screenshot, sent it to us, >> but took no other action. >> >> So, I don't think they are truly malicious -- I think they are doing >> it for fun, fame, perhaps also for their stated goal of bringing >> attention to poor password security. >> >> Indications are that they are familiarising themselves with MediaWiki >> and with our community. They probably plan on continuing to do this >> for some time. >> >> We're doing what we can to slow them down, but admins and other users >> with privileged access also need to take some responsibility for the >> security of their accounts. Specifically: >> >> * If you're an admin, please enable two-factor authentication. >> <https://meta.wikimedia.org/wiki/H:2FA> >> * Please change your password, if you haven't already changed it in >> the last week. Use a new password that is not used on any other site. >> * Please do not share passwords across different WMF services, for >> example, between the wikis and Gerrit. >> >> (Cross-posted to wikitech-l and wikimedia-l, please copy/link >> elsewhere as appropriate.) >> >> -- Tim Starling >> >> >> _______________________________________________ >> Wikitech-l mailing list >> Wikitech-l@lists.wikimedia.org >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l >> > > > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l -- John Vandenberg _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
