Wikipedia:Administrators' noticeboard/Archive285

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Noticeboard archives

Contents

Admin accounts still getting compromised[edit]

Hi all - little surprised this hasn't been posted a little more...prominently.. but there are still administrator accounts getting compromised, and you should be taking action to prevent your account being used maliciously. More information on the actual incident can be found here on Commons and a more recent update here.

To help defend against these compromises please consider;

I think I speak for the community when I say this is important, and we need to overcome whatever hold it is these malicious actors have over our credentials. Thank you -- samtar talk or stalk 13:24, 16 November 2016 (UTC)

  • Yeah this is a pretty big deal. Can we initiate a forced reset of all admin passwords? Ivanvector (Talk/Edits) 13:34, 16 November 2016 (UTC)
  • This would be a nuisance to those who have already changed their passwords. The linked e-mail states "Please change your password, if you haven't already changed it in the last week." Espresso Addict (talk) 22:35, 16 November 2016 (UTC)

Couple of comments. 1. I would strongly recommend the WMF immediately attempt to crack every administrator password via a simple dictionary / rainbow table attack and desysop everyone they get hold of. This is a standard security procedure that is perfectly acceptable. 2. The instructions WP:2FA have got to be super-duper simple that I can do with my brain turned off. "First you must have or install a Time-based One-time Password Algorithm (TOTP) client" - that means I want a direct link to the Apple or Google store that works. The current instructions point to Google Authenticator, an article littered with {{fact}} tags which I normally take to mean "everything in this article is suspicious and may be false". Great. I do not want to have spend time fiddling around with apps on my phone when I get it wrong, while simultaneously trying to deal with my kids who can do it with their eyes shut. You must not run the risk of people thinking it's too much hassle and not bothering. Remember, it is not a requirement to be good with computers or programming languages to become an administrator. Ritchie333 (talk) (cont) 13:46, 16 November 2016 (UTC)

  • (edit conflict) Point taken - I've updated the 2FA instructions with some Google Play/iTunes App store links and will try to rewrite some of the guide -- samtar talk or stalk 13:50, 16 November 2016 (UTC)
Okay, I've got 2FA turned on. One more thing, Special:OATH needs to be done on the local wiki where you have administrator rights, the instructions tried to log me in to Meta, where I don't have admin rights. All that said, once I had the app, scanned the code and put the key in, it didn't seem to be any more onerous than accessing internet banking, so my fears are a little alleviated. But we should still make the instructions as good as we can get. How can I help in this area? Ritchie333 (talk) (cont) 14:01, 16 November 2016 (UTC)
I see 2 {{fact}} tags in that article, and they're both on things that are obviously correct to anyone who knows how TOTP works. I wouldn't worry about them. 50.0.136.56 (talk) 10:33, 17 November 2016 (UTC)

(edit conflict)The 2FA instructions still don't work. I have installed Google Authenticator but "Special:OATH" is a link to an "Unauthorized" page. Admins on a Wikipedia are not automatically admins on Meta-Wiki and so this system simply doesn't work. Also it is not a "mobile phone" but a "smart phone". The two terms mean different things. Tim 14:05, 16 November 2016 (UTC)

(edit conflict × 2) Well I've made an edit-request for the watchlist notice which needs a helpful admin to move over. Other than changing/clarifying the Special:OATH link, is there anything else which could do with some clarification? Personally Ivanvector's suggestion to force-reset everyone's passwords is the next step if we see any other compromises -- samtar talk or stalk 14:08, 16 November 2016 (UTC)
Moved the watchlist notice. Katietalk 14:25, 16 November 2016 (UTC)
Cheers Katie, and good idea with the committed identity -- samtar talk or stalk 14:29, 16 November 2016 (UTC)
  • I'll update the help page on meta to state that is needs to be enrolled from wiki you are admin on. — xaosflux Talk 16:35, 16 November 2016 (UTC)
I have updated Wikipedia:Simple 2FA as best I can to document what worked for me today, but I can't do much else unless without more testing. Ritchie333 (talk) (cont) 18:00, 16 November 2016 (UTC)
May I make another, somewhat late, suggestion? Include a second suggestion besides Google authenticator. Google is banned in some countries, such as China. Heimstern Läufer (talk) 10:21, 17 November 2016 (UTC)
We've included freeOTP and some other options, including a desktop client -- samtar talk or stalk 14:08, 18 November 2016 (UTC)

General discussion[edit]

To save people visiting this section from the watchlist notice, I've moved a block of discussion down here -- samtar talk or stalk 15:06, 16 November 2016 (UTC)

  • UK and EU law does not allow for the WMF (or anyone else for that matter) to forcibly attempt to crack user or admin accounts on Wikipedia. Force-reset the passwords yes, actively crack the account passwords no. There are ways a systems administrator can identify weakly passworded accounts (running the hashed PW against known blah blah blah), but these do no extend to actually identifying the password, as to test it is correct would require logging into it and opening them up to all sorts of data laws regarding accessing private accounts without permission. Consider this a friendly warning before someone starts getting bright ideas about doing their own pre-emptive cracking. Only in death does duty end (talk) 14:11, 16 November 2016 (UTC)
    • That aside (and yes, it wouldn't be a good idea for anyone to try that) - all we expect is our admins to reset their passwords if they haven't already, and strongly consider enabling two-factor authentication. If possible I'd like to see that watchlist notice get done, as some other editors may wish to reset their passwords also - it wasn't just administrator accounts which details were supposedly gained, but its fairly obvious which can cause more damage -- samtar talk or stalk 14:18, 16 November 2016 (UTC)
    • IANAL, but the ToU specify that any legal claim one might have against the WMF is subject to California law. If that doesn't suffice, WMF should add a clause to the password security section allowing cracking audits for priviledged accounts. BethNaught (talk) 14:21, 16 November 2016 (UTC)
      • Its a long and detailed discussion but the short version is 'The TOU do not protect the WMF or individual editors/admins in this situation'. If you want a longer explanation pop a note on my talkpage. Only in death does duty end (talk) 14:32, 16 November 2016 (UTC)
        • And one can well imagine why such laws are necessary. "Hey, it's our site, (we're the bank, the local community org, Wikimedia) let's hack into everybody's account. And as long as we're there...hmmm...let's see if those accounts lead us to access on a person's computer....hmmm...the sky's the limit." — Maile (talk) 14:47, 16 November 2016 (UTC)
          • I'm not saying it's a good or a bad idea to run a password-cracker program (which I know has been done before), but anything the WMF did in this regard they would do in California through individuals based in California, and I suspect that any objection based on laws of other countries would simply be disregarded. Newyorkbrad (talk) 14:52, 16 November 2016 (UTC)

We aren't doing anything dumb like storing the 'password strength' value in the database, are we? If we are, please contact me. I understand we use PBKDF2 for password storage, which wouldn't be my preference (I prefer bcrypt), but is reasonable provided we are using a reasonable number of iterations. OWASP's Password Storage Cheat Sheet is useful, and this stackoverflow question implies Wikipedia should be using 256,000 iterations as of 2016 (64,000 in 2012, doubling every year, so two doublings). The rule of thumb is to target roughly 1 second of CPU time; I haven't run tests to ensure that's the case. But, given some of the accounts have apparently been hacked while using strong passwords, it's very likely Wikipedia's password storage isn't the source of the compromise, even if we are using a stupidly low number of iterations. --Yamla (talk) 15:03, 16 November 2016 (UTC)

The attackers appear to have a password dump from a different website. They do not appear to be bruteforcing/dictionary attacking passwords directly from our db (either online, or trying to reverse our password hashes), as they are only successfully compromising about one in every 10 accounts they tried. Thus password strength is irrelevant in this attack (That said, please use strong passwords to protect against other potential attackers), the problem is users using the same password on other insecure websites. Do not share your passwords among multiple websites. Please enable 2FA. Thank you. BWolff (WMF) (talk) 15:11, 16 November 2016 (UTC)
In the light of the newest batch of compromised accounts, is it worth doing another mailshot round to admins? I ignored the first message as it seemed to skimp over the real reason for sending it and made me think (as I'm sure other admins did) "well of course my account is doing to be compromised!", only to change my mind like Beeblebrox after seeing more cracks. Just a paraphrase of "please change your password ASAP" should be enough - something as simple and idiot proof as you can get it. That TRP had no idea why his account was locked (despite getting the mailshot) suggests the previous mailshot did not work. Ritchie333 (talk) (cont) 15:23, 16 November 2016 (UTC)
Clearly worth doing - I believe from a message on Xaosflux's talk that there are discussions of some sort relating to this. I appreciate the possible PR issues and understand why the softly softly approach is needed, but its clear that unless we get a grip on this situation now we're just going to be playing catch-up. Thankfully its eased up, but the attempts are still ongoing, so it will happen again at some point -- samtar talk or stalk 15:29, 16 November 2016 (UTC)
  • For admins, we certainly can send another enwiki massmessage - suggest they change their passwords and consider enrolling in WP:2FA. There is a MMList here that can be used: Wikipedia:Administrators/Message_list. If this needs to go out to all editors, then we will need a banner campaign (and likely not limited to enwiki!) - or enwiki can put up a sitenotice for logged in users (mass message or watchlist will not be as effective for contacting all editors). — xaosflux Talk 16:28, 16 November 2016 (UTC)
  • Last time something like this happened we initiated a new policy, WP:STRONGPASS that should have made an attack like this impossible. This was supposed to be a binding policy on all administrators, but apparently a number of them, including Jimbo, ignored it. It was widely advertised at the time. Beeblebrox (talk) 16:39, 16 November 2016 (UTC)
    • Password strength is totally orthogonal to the issue being exploited in this attack. The strongest password in the world is useless if you reuse it on other websites that the attacker has access to. BWolff (WMF) (talk) 16:41, 16 November 2016 (UTC)
    • (edit conflict) @Beeblebrox: as much as having a strong password is important, unfortunately here it would not have helped - the attackers likely gained access to password dumps leaked from earlier hacks of other services (such as the Adobe hack earlier this year) and tried them on Wikipedia. It appears a number of editors and admins have been re-using passwords, which is why this attack worked. The key thing here is to change your password, use a unique password for Wikipedia and consider enabling 2FA -- samtar talk or stalk 16:44, 16 November 2016 (UTC)
I guess we didn't specify that since it seems so basic we shouldn't have to tell admins not to use their facebook password or whatever. It does appear to be mostly users who used their real names, making it easy to tie the two accounts. Beeblebrox (talk) 16:49, 16 November 2016 (UTC)
  • This serious security breach has reminded me why I've always refused to register with WP:UTRS. The registration page says "Warning: Do not use the Labs Project (this site) if you do not agree to the following: information shared with the Labs Project, including usernames and passwords, will be made available to volunteer administrators and may not be treated confidentially". I wonder how many UTRS admins use the same passwords as their Wikipedia accounts? Boing! said Zebedee (talk) 16:56, 16 November 2016 (UTC)
    • Please do not use your wikipedia name/password with stuff on tool labs. Anyone is allowed to create a tool, so the password can go to anybody. All new tools should use OAuth for authentication, which stops tools from needing your password. BWolff (WMF) (talk) 17:38, 16 November 2016 (UTC)
      • Obviously people shouldn't, no, but a UTRS system in which passwords are not confidential is asking for trouble - I was staggered when I found out about it. But can you at least confirm that UTRS was not the source of the current hack? Boing! said Zebedee (talk) 17:43, 16 November 2016 (UTC)
  • I think we return to the WP:NOTSUICIDE argument. The community has a right to protect itself. Admin accounts, if compromised, can do damage. A forced reset and mandatory 2-factor should be the minimum response, especially considering how many inactive admins we have on the books. Audits (although controversial) should be considered. Chris Troutman (talk) 17:19, 16 November 2016 (UTC)
  • Audits were approved by the community in the RFC that led to the STRONGPASS. As far as I know they have never been done though. Maybe now's the time? It's been a local policy for about a year and was adopted as a global policy as well. WMF staff were active in the global discussion at meta so they are well aware of it. Beeblebrox (talk) 17:23, 16 November 2016 (UTC)
  • Is there any technical reason that TFA has not been enabled for either all accounts or, to cut down on numbers but catch most active editors, any account with any additional permission? JbhTalk 17:50, 16 November 2016 (UTC)
    @Jbhunley: There simply isn't the infrastructure currently to deal with the people who will inevitably get locked out of their accounts. 2FA wasn't supposed to be rolled out this early at all, but in light of the circumstances it was. In due time it will be enabled for everyone once everything is set up. In the meantime, if you wish to have 2FA enabled on your account all you have to do is ask a steward to add you to the testing group (as I have). This can be done at m:Steward requests/Global permissions. Note that you only need advanced permissions on one CentralAuth wiki. So if you are a sysop on the testwiki for example you can enable 2FA there and it will be enabled here. --Majora (talk) 21:26, 16 November 2016 (UTC)
    I don't think it's technically possibly to automatically enable it as it's also a two step process to set up, because it requires you to enter in a verification code from whatever client you will be getting the tokens from (e.g Google Authenticator, winauth) in order to be paired up with that service. Jauerbackdude?/dude. 21:33, 16 November 2016 (UTC)
    "Enabled" as in turn the button that you have to click on. If you aren't a sysop or above on one CentralAuth wiki and you aren't part of the 2FA "testers" group you won't even see the button in your preferences to turn it on. Otherwise, yes. You have to physically enable 2FA by clicking said button. --Majora (talk) 21:37, 16 November 2016 (UTC)
    Ah, gotcha. I misunderstood the question. Jauerbackdude?/dude. 21:39, 16 November 2016 (UTC)
    @Majora: Thank you. JbhTalk 01:48, 17 November 2016 (UTC)
Is there any technical reason that TFA has not been enabled for either all accounts or, ... any account with any additional permission? — I suggest that forcing all editors, or even editors with some additional minor-not-admin rights (eg me, with AP, ECo, Rv) to use 2FA might be a bad idea, and might lose editors. I would be reluctant to have to get a smartphone, or install additional software on my PC, just to edit as a registered user. (I currently have a password that easily exceeds WP:STRONGPASS and is not used on any other site.) Mitch Ames (talk) 01:04, 17 November 2016 (UTC)
I think "enable" meant "make available for those who want it", not "make mandatory". Right now it's unavailable to regular users, but they are working on that. 50.0.136.56 (talk) 02:30, 18 November 2016 (UTC)
  • Is this a mobile only thing? I do not own a table and do not use my smart phone all that much (in fact I abhor the thing so I make a point to "forget it" as much as I feel I can get away with) and the way I am reading this its primary to defend against mobile editing issues, but I contribute only with a tower and/or laptop. I'm not going to put myself through the aggravation of doing the Texas two-step to log in if this is not an issue for the non-mobile editors (the tower/laptop crowd). TomStar81 (Talk) 02:42, 17 November 2016 (UTC)
    Not specifically, you can install a code generator on your computer (see Wikipedia:Simple_2FA#How_to_enable_2FA.2C_the_simple_way_.28desktop_-_Windows.29 for an example). If you do this, keep your setup information very secret so that it can't be used elsewhere. — xaosflux Talk 02:48, 17 November 2016 (UTC)
    • The traditional way to do it is with a dedicated device that you put on your keys, like this. That's both more convenient and more secure than a software token like on a smartphone, if you don't mind the additional small gizmo. They're around 5 USD each in quantity and I could imagine the WMF issuing them to users with access to private info (CU's etc.) who have to self-identify to the WMF anyway. The WMF issuing them would also make sure that the person supplied a working snail mail address to receive the token. I'm trying to find a place to get them cheap in small quantity for people who want to buy their own. 50.0.136.56 (talk) 10:22, 17 November 2016 (UTC)
  • Comment One further bit of advice: if you have a password manager and 2FA token on the same device (mobile phone or whatever), then if someone pinches your phone they have both authentication credentials. That may be less of an issue of password dumps getting loose though. 50.0.136.56 (talk) 10:11, 17 November 2016 (UTC)
if you have a password manager ... if someone pinches your phone they have both authentication credentials... — Not necessarily. If you have a password manager that encrypts your passwords with a strong master password/phrase (personally I use Password Safe), and if you keep the password manager locked (with the master password) when not in use, then someone stealing the device gets no passwords - just a database encrypted with a strong password that is only in your head. Of course the attacker may install a keylogger or other snooping software on the device then return it ("evil maid attack"), but that's a different problem. Mitch Ames (talk) 10:58, 17 November 2016 (UTC)
That works, but it's asking a bit much to expect most people to enter a complicated master password if their phone is idle for more than a few minutes. I can think of some alternatives but nothing I know of has caught on. Lots of people in fact do exactly what I described, which is why I brought it up as something to be careful about. You're using more cautious procedures than most people are willing to bother with. 50.0.136.56 (talk) 00:20, 18 November 2016 (UTC)

Two questions[edit]

1) Is this latest hacking activity happening only to admin accounts, or is it part of a wider hacking happening on Wikipedia?
2) How is WP:INACTIVITY monitored? Right now, it doesn't seem like a good idea to have stagnant admin accounts on Wikipedia.

— Maile (talk) 17:07, 16 November 2016 (UTC)

As far as I know it is limited to admins. There's little point to hacking an account with no advanced permissions. And don't get me started on the inactive admin policy. I tried to get it beefed up a while back, but everybody insisted that just making one edit every few years was enough to protect the project from rogue admins. Beeblebrox (talk) 17:13, 16 November 2016 (UTC)
So far 5 of the compromised accounts have been normal users, however they don't seem to be targeting them as much anymore. Additionally at one point they compromised a crat and used it to promote a normal account they had recently created. However patterns can change, so please secure your account even if you are not an admin. BWolff (WMF) (talk) 17:36, 16 November 2016 (UTC)
I was surprised to find the compromised admin accounts are seem to be people with recent activity. If this were not the case, and the crackers were targeting "sleeper admins", we'd have a brilliant case for strengthening WP:INACTIVITY. But I don't think we do. Ritchie333 (talk) (cont) 18:03, 16 November 2016 (UTC)

─────────────────────────I gave up on that after the RFC last year. I presented an example of an admin whose last hundred edits go back eight years, who hasn't used their admin tools in any way in seven years, so basically isn't an admin, but gets to permanently keep the tools so long as every time they are informed they are about to use them, they just reply to the message and -bam- renewed for another two years. Why someone would cling to administrative right they clearly have no intention of using is a bit obscure to me, but apparently enough of the community is ok with it to let it persist. Or maybe, looking back, I didn't do a good enough job presenting the case, I don't know. Beeblebrox (talk) 18:50, 16 November 2016 (UTC)

@Beeblebrox: In light of recent events, I think that now is a good time to revisit the current policy on admin inactivity. If you and/or any other users are interested, I'm willing to help draft a new RfC -FASTILY 09:38, 17 November 2016 (UTC)
@Beeblebrox and Fastily: As an editor who has also proposed increasing the activity requirements, this is another good reason for it. I doubt anything will change unless we have proof that inactive editors have been targeted though. Sam Walton (talk) 11:01, 17 November 2016 (UTC)

Possibly related at VPump. This individual has not edited since Dec 2015, but more significantly, has not used the tools since May 2012. And still has the tools. Nobody seems to be saying it's a compromised account, but it's a case for more oversight of tools. — Maile (talk) 19:04, 16 November 2016 (UTC)

To be more specific, they used their tools once in 2012, and that is the only time they have used them in the past ten years, before that they used them about fifty times in 03-06, and that's it. But still an admin so long as they make an edit every two years. Beeblebrox (talk) 19:13, 16 November 2016 (UTC)

For reference, though, getting back tot the original question, the actua process for removing admins via our current, extremely lax policy i documented at Wikipedia:Inactive administrators. All one would have to do is remove themselves from the list there and then they're good for another two years even if they do nothing else. Beeblebrox (talk) 19:22, 16 November 2016 (UTC)

A bot actually updates that, if they make any edit-anywhere, or any log action they will get retained. If the community wants to define a new activity requirement for admins a RfC will need to be passed. — xaosflux Talk 22:43, 16 November 2016 (UTC)
A vote (link) three weeks ago to remove rights from a long term Commons bureaucrat, based on the spirit of the inactivity policy rather than a literal reading, makes for an interesting test case. If only for the fact that the mood of the community is demonstrated by the vote being 100% to remove rights. -- (talk) 10:25, 17 November 2016 (UTC)
I would support putting through an amendment to the de-adminship policy permitting some sort of non-adversarial process for doing a similar thing. Perhaps talk with the Arbcom folks about using the committee members as a decision-making panel, to avoid WP:NOTAVOTE issues. When there's concern that an admin with no misconduct issues isn't really going with the spirit of the inactivity policy, the members of Arbcom would then vote on whether the admin should retain rights. Since the voting would be done by the arbitrators as individuals, not as the official committee acting on a case, we'd go to the vote without workshop, case pages, proposed decisions, etc. A decision to remove rights would be treated as any other inactivity case — we would need to be careful to emphasize that the desysop was not some sort of sanction, and the rights-removal log would need to be something like "Procedural removal of +sysop due to inactivity", just like with an admin who just hadn't edited at all. Nyttend backup (talk) 16:39, 17 November 2016 (UTC)
I do stilll believe the policy needs to be stricter, but I don't want to be the primary drafter of an contentious RFC. I started one on unique passwords because I feel this is an emergency situation and it is important for all admins to know about it and to get it into policy ASAP, but other than that I'm pretty much done with pushing big policy RFCs. I'll happily participate and offer advice to drafters who are interested though. As always, I will shamelessly plug my essay on the subject: User:Beeblebrox/The perfect policy proposal. Beeblebrox (talk) 19:52, 17 November 2016 (UTC)
I thought that inactive admins got their bit turned off for security reasons, but they could get it back on request if they became active again. If you're saying they'd need a new RFA or something like that, then that would be a hard sell and I'd hope it wouldn't pass. I'd expect there aren't a huge number of inactive admins (> 1 year) so maybe it's worthwhile to send an email reminder to any admins that haven't edited in that long. 50.0.136.56 (talk) 00:12, 18 November 2016 (UTC)
Inactive admins (no logged events in > 1 year) should indeed have their bit removed permanently (or until they pass another RfA). The main issue being admins that haven't edited for a long time and then find themselves doing something wrong because they weren't up to date with current community norms. There have been a couple of examples recently. Black Kite (talk) 00:16, 18 November 2016 (UTC)
Meh, the same thing happens with active admins. An admin with good common sense is much more valuable than someone who is boned up on the latest wikilawyering but is clueless, even if the sensible admin has some out-of-date knowledge here and there. The cases where someone got in trouble is that they were obnoxious about defending errors instead of saying "oops, I see what you mean, thanks". 50.0.136.56 (talk) 00:29, 18 November 2016 (UTC)

─────────────────────────We do all make mistakes here and there, no doubt, but there is an ever-diminishing group of admins who were appointed "back in the day",( usually defined as pre-2007) when RFA was a cakewalk, or in some cases not even done at all. Some of these admins are still active members of the community, but there are some that seem to make an edit once every year or so just so they get to hold onto their bits for another year. Some of them have not actually used their tools in five years or more, yet stubbornly cling to them for no apparent reason. We shouldn't have people holding advanced permisssions if they don't intend to use them, yet our current policy allows exactly that, having no requirement whatsoever regarding actually using admin tools. One edit every two years is all you need to retain admin status indefinitely, and even if you have it removed you still have another year to ask fo it back, and then you're set for another two years. Does that really seem right to anyone? Beeblebrox (talk) 21:16, 18 November 2016 (UTC)

We have one of the loosest admin activity policies of the "big" Wikimedia wikis - see m:Admin activity review/Local inactivity policies. --Rschen7754 05:22, 19 November 2016 (UTC)

Tools[edit]

If we enable 2FA, how are we supposed to login to tools like AWB? Timrollpickering 10:58, 17 November 2016 (UTC)

@Timrollpickering:Either the tool is changed to use OAUTH, letting MediaWiki take care of the authenication, or you can use bot passwords. -- AntiCompositeNumber (Leave a message) 12:13, 17 November 2016 (UTC)
I use BotPasswords, it has the benefit of setting that logon to not have the full sysop package too (e.g. your AWB BotPassword will not need to block users or delete pages; you can control what access it has). — xaosflux Talk 13:02, 17 November 2016 (UTC)

New information page and navbox[edit]

I've created a new page Wikipedia:Compromised accounts to try to explain why accounts get compromised, and measures that can be taken. Also a new account navbox might help people find account related info more easily, including a/c security.

.

Any comments at all? --Jules (Mrjulesd) 00:09, 18 November 2016 (UTC)

I made a few small edits. 50.0.136.56 (talk) 00:37, 18 November 2016 (UTC)
Thanks! --Jules (Mrjulesd) 02:03, 18 November 2016 (UTC)
I made a few copyedits too, though this may overlap with Wikipedia:Personal security practices; perhaps the two should be combined. Sam Walton (talk) 11:50, 18 November 2016 (UTC)
Thanks. I agree that this may be possible. --Jules (Mrjulesd) 12:07, 18 November 2016 (UTC)
Tell people that writing down passwords is much safer than using the same password on every site. That outdated rule ("don't write passwords down") made sense at a time when people only used a computer at work, nowadays it does more harm than good... Prevalence 02:58, 19 November 2016 (UTC)
I dont think anyone is saying not to write them down. Generally speaking using password managers is probably the safest technique, but obviously they need to be backed up elsewhere otherwise they are lost from a broken device. Physically writing them is vulnerable to theft unfortunately.--Jules (Mrjulesd) 22:47, 20 November 2016 (UTC)

2016 Arbitration Committee elections[edit]

Voting in the 2016 Arbitration Committee Elections is now open through Sunday, 23:59, 4 December to all unblocked users who have registered an account before Wednesday, 00:00, 28 October 2016 and have made at least 150 mainspace edits before Sunday, 00:00, 1 November 2016. If you wish to participate, please review the candidates' statements and submit your choices on the voting page. Mz7 (talk) 00:09, 21 November 2016 (UTC)

Rfc on upgrading the NAC essay to a guideline[edit]

Interested editors can comment on the Deletion process talk page. Thanks. Lourdes 05:38, 21 November 2016 (UTC)

Mass (and probably multilingual) addition of unsourced birth dates, etc[edit]

The edits of User:Swineposit came to my attention via the article on Sirkka-Liisa Konttinen (see Talk:Sirkka-Liisa Konttinen), but Yamaguchi先生 had already noticed oddities. Swineposit has been most active with birth dates, in particular adding those that are "sourced" by virtue of appearing in Wikipedia articles on other languages, or that are "unsourced", which seems to mean "invented". Yamaguchi先生 blocked him indefinitely; and rightly so, I believe. (And massive thanks to Davey2010 for mass rollbacking.)

It does seem that, whether out of laziness or incompetence, Wikipedia contributors do often pull stuff from articles in other-language Wikipedias. Thus a lot of the poorly sourced and unsourced (probably including fictional) material added to biographical articles here will make its way to their equivalents in French, Japanese, etc. However, there's more. Swineposit nonchalantly talks of editing French- and Macedonian-language Wikipedias. I'd already known that he'd been active on Portuguese-language Wikipedia; it doesn't stop there. Few edits to each of these, but some are newish: Latvian, Asturian, Serbo-Croatian. Few edits to each of these, none of them new: Uzbek, Irish, Kazakh, Basque, Faroese, Dutch, Swahili, Ido, Esperanto, Azeri. This list is not exhaustive. And there may be other usernames involved (cf "MaryCatherineismyname" here).

Oh, and another fun fact: a remarkable percentage of the edits concern 27 March. I'd had no reason to think that this wasn't as humdrum a date as most others, but Wikipedia proved me wrong. -- Hoary (talk) 01:38, 19 November 2016 (UTC)

Macedonian (a single, recent edit); French (a lot, some of it recent); Greek (very little, but very recent); German (not much; very recent); Neapolitan (little, old); Russian (little, very recent); maybe more besides. -- Hoary (talk) 02:08, 19 November 2016 (UTC)
And some more: Ilokano (two, this year); Slovenian (quite a few, this year); Afrikaans (one, new); Tamil (one, this year); Nahuatl (several, two of them this year); Malay (two, old); simple English (four, two of them this year). -- Hoary (talk) 02:31, 19 November 2016 (UTC)
No worries, It seems apart from my mass rollback he's been adding unsourced crap for quite some time and has more or less constantly been reverted by various editors too, He's blocked indef and personally I don't think that should change - Ofcourse if someone would mentor the editor then I would perhaps support unblocking providing the unsourced edits stop. –Davey2010Talk 02:53, 19 November 2016 (UTC)
And some more: Italian (quite a bunch, several of them this month); Spanish (few, but two of them this month); Turkish (only one, old); Czech (only one, old); Slovak (only one, old); Swedish (only four, but one very recent); Danish (only four, old); Norwegian (Bokmål) (few, but one from this year); Norwegian (Nynorsk) (only one, but it's new); Icelandic (not many, but one from this year). ¶ Again, I have no reason to think that this list is exhaustive. I'd thought that there was some tool that presented stats for any username across the entire range of WMF sites (every Wikipedia, plus Commons, plus very much more); but if it does exist then I can't think where it might be, and some searches have failed to unearth it. -- Hoary (talk) 04:38, 19 November 2016 (UTC)
@Hoary: WMFlabs Global user contributions may be what you're looking for. What a mess. BlackcurrantTea (talk) 05:15, 19 November 2016 (UTC)
Excellent! Just what I'd been looking for. Here's Swineposit, who's been active in "104 projects". ¶ I do know that global blocks only work for IP numbers; and that although a "global lock" would do the job, the circumstances wouldn't demand it. -- Hoary (talk) 05:34, 19 November 2016 (UTC)

Yes, multilingual childishness[edit]

Let us consider Dimitrios Maximos (Δημήτριος Μάξιμος): not a household name to most anglophones, but a prime minister and definitely somebody meriting an encyclopedia article free of "factual information" merely plucked from a contributor's fundament. On 11 November 2016, Swineposit added a birth date of 27 March to the English article about this person. (Does 27 March sound familiar?) And on the same day he did the same to the Greek article. Four days later, he did the same to the French article (together with a special bonus).

However, also on 11 November:

-- and yes, all for the same one person, Dimitrios Maximos.

Davey2010 and BlackcurrantTea are right. And if global blocking worked for user IDs and not just IP numbers, I'd apply for a global block of Swineposit right now. -- Hoary (talk) 07:19, 19 November 2016 (UTC)

@Hoary: What you're looking for is meta:Global locks: stewards can globally lock named accounts, which prevents log-ins and editing across all wikis. — Diannaa 🍁 (talk) 14:21, 19 November 2016 (UTC)
Thank you, Diannaa. I doubt that I could get a global lock for this. But I have asked on Wikidata:Administrators'_noticeboard that Swineposit be blocked from Wikidata. -- Hoary (talk) 05:14, 20 November 2016 (UTC)
I think you could build a fair case for this account being locked. My concern is that some good edits are being made, so maybe more should be done to contact the person and ask them why this is happening first. But if it continues, then a global lock would be absolutely appropriate if bad content is being added across multiple wikis. -- Ajraddatz (talk) 23:33, 20 November 2016 (UTC)
I've tried asking on User talk:Swineposit, but all I've elicited is semi-comprehensible apologetic waffle about "mistakes" and also -- I think, but it's hard to understand -- the use of other-language Wikipedia articles as sources. If these really are mistakes (which strains credulity), then I'm certain that anybody capable of them shouldn't be allowed to edit anything. And the latter story is highly implausible, given that (i) Swineposit happily splatters different misinformation on various pages about the same person (see my description here in Wikidata), and (ii) he has demonstrably given two different dates of birth (one of them a trolls' favorite, 27 March) for somebody Sirkka-Liisa Konttinen whose only other-language page (in Finnish) had no date. (It was the edits to the article on Konttinen that first alerted me to this mess.) My concern is that this person will simply lie low for a little while and then pop up with a different username. (I don't want to reopen the extremely tired debate about the ease with which untried, brand new and unregistered users can edit Wikipedia, but I am amazed that even Wikidata allows mere IP numbers to fiddle with the data that connect the various Wikipedias.) -- Hoary (talk) 00:05, 21 November 2016 (UTC)
PS. I talk above of difficulty of understanding. In order to illustrate this, here's a fairly randomly chosen example from Swineposit's user talk page: "Her birth date was unknown, because it was correct. Keep her article on birth date unsourced." In the context, it would make sense if it were instead: "Her birth date was unknown; therefore it was correct not to give any birth date. Keep her article free of any claim for a birth date, because any claimed birth date would be unsourced." However, something very different might have been intended. -- Hoary (talk) 05:49, 21 November 2016 (UTC)

Puff piece?[edit]

I've just come across Mark Featherstone-Witty as linked from Liverpool Institute for Performing Arts. Both articles appear to have substantial CoI issues, with the former seemingly almost totally created by a user with the same name. I've put on warnings on both articles, talk pages, and users, but would appreciate a second look from another admin or two to consider whether either or both should be radically reverted (the former even deleted?) --AlisonW (talk) 14:14, 21 November 2016 (UTC)

For the account named LIPALiverpool, I'm going to soft-block them, as that's a pretty obvious violation of WP:GROUPNAME. The edits don't seem to be TOO promotional, so hopefully a hard block won't be needed in the future. RickinBaltimore (talk) 14:37, 21 November 2016 (UTC)

Group of Six Artists[edit]

I've had this article on my watchlist and I've been noticing a lot of strange edits popping up in the past month (see history). They are mostly minor unconstructive changes and they were all made by new users with only a few edits who appear to have no knowledge of the article subject. Even the most substantial edit upon further observation appears to be just a re-arranging of sentences. It seems suspicious, but I don't know what purpose these edits would serve, so I thought I'd let you guys know. DaßWölf 19:41, 21 November 2016 (UTC)

Possible (old) paid-editing account[edit]

I've stumbled across one of these. What's the best venue for discussing it? --Dweller (talk) Become old fashioned! 17:59, 21 November 2016 (UTC)

Can you share some diffs to see what is going on? RickinBaltimore (talk) 18:08, 21 November 2016 (UTC)
Usually, Wikipedia:Conflict of interest/Noticeboard is the venue, I would think. Alanscottwalker (talk) 18:12, 21 November 2016 (UTC)
If by old you mean inactive, and the paid-editing is declared/obvious, merely adding a connected-contributor-paid banner to article talk pages plus a user talk warning (and article maintenance tags if edits are still live and need review) is what I'd do. If the account is still active then yea, WP:COI/N would be the first venue I guess (after a user-talk discussion attept).  · Salvidrim! ·  19:38, 21 November 2016 (UTC)

Thanks, chaps. Salvidrim, they're by a long since inactive contributor. Please point me in the direction of the right tags. Some of the articles may be heading for AfD, as he's not done the best job of it (mind you, they've survived 5 or so years, so what do I know). --Dweller (talk) Become old fashioned! 21:46, 21 November 2016 (UTC)

{{Connected contributor (paid)}} is the talk page banner (or {{Connected contributor}} for COI without specific monetary ties, such as autobios), see the template page for documentation on parameters. {{COI}} is the one that goes on the article itself, and {{uw-coi}} is the user warning but if the user is long gone it might be useless.  · Salvidrim! ·  22:00, 21 November 2016 (UTC)

Deletion by new User?[edit]

It appears User:Aaron's The Best deleted a page and moved pages but it also appears this user is new and not an admin. Something seems off about that, no? Alanscottwalker (talk) 12:14, 21 November 2016 (UTC) This is what my watchlist says:

  • (Move log); 06:15 . . Aaron's The Best (talk | contribs) moved page Talk:Slave and free states to Talk:Slave states and free states ‎
  • (Move log); 06:15 . . Aaron's The Best (talk | contribs) moved page Slave and free states to Slave states and free states over redirect ‎
  • (Deletion log); 06:15 . . Aaron's The Best (talk | contribs) deleted page Slave states and free states ‎(G6: Deleted to make way for move)

--Alanscottwalker (talk) 12:22, 21 November 2016 (UTC)

  • I can't find the link now, but there was a change to the logging so that when a user moves a page over a redirect, it now logs it as a delete of the old redirect, whereas it didn't before. Edit: ah, here you go -> link. Black Kite (talk) 12:24, 21 November 2016 (UTC)
Oh, ok. Thanks. Alanscottwalker (talk) 12:29, 21 November 2016 (UTC)
I guess the only question now, is how G6 really applies, as that says it's for admins who are absolutely certain there is no need for discussion or controversy - and now moves over re-directs apparently need no discussion and no admins. Alanscottwalker (talk) 12:34, 21 November 2016 (UTC)
"and now moves over re-directs apparently need no discussion and no admins." - As far as I am aware they didnt before except where a move was contested (like any other move). The only difference is that now it is logged more explicitly. I dont see why the reference to G6 needs to be there anyway, 'Deleted to make way for move' should be enough? Only in death does duty end (talk) 13:18, 21 November 2016 (UTC)
Well, G6 is there. As to contested, the call from WP:MOVE is conditional and requires a pre-determination that there will not be contest or else don't make it, without an attempt at discussion. At any rate, we'll see how it goes regarding controversy, and if documentation remains as is. Alanscottwalker (talk) —Preceding undated comment added 13:35, 21 November 2016 (UTC)

───────────────────────── The MediaWiki software automatically adds the content of MediaWiki:Delete and move reason as the deletion reason when moving a page over an already existing one. That text is used regardless of what permissions one has, hence also for non-admins, irrespective of what the policy says. Jo-Jo Eumerus (talk, contributions) 16:09, 21 November 2016 (UTC)

Ahh, I saw this recently on my watchlist from a user I know isn't an admin. Thanks for clearing up the mystery. Lugnuts Precious bodily fluids 18:36, 21 November 2016 (UTC)
There's literally no technical difference from previous operations: it's just appearing in the logs. Before, any autoconfirmed user could create B as a redirect to A and then move A to B; now, any autoconfirmed user can do the same. Before, the edit creating B would just disappear; now it actually shows up as a deleted edit in the logs, and admins can view the creating edit in Special:Undelete. See the history and logs for User:Nyttend/A and User:Nyttend/B, which I just now created and moved without using any admin tools. So basically, it's just a better way of documenting what's been possible since 2004 at latest. Nyttend (talk) 22:12, 21 November 2016 (UTC)
Are you saying it only works if you create the redirect and then move it? (Why you did it that way, instead of just moving is just extra steps?). Alanscottwalker (talk) 23:02, 21 November 2016 (UTC)
Once again, nothing has changed except the logging mechanism. If you could move a page over a redirect before, you can still move it. If you couldn't move it before, you still can't. I gave that as an example because it was simpler than saying "move A to B, make no edits to A whatsoever (even ones that don't change the content), and move B over A". Nyttend (talk) 00:27, 22 November 2016 (UTC)

Jytdog[edit]

(non-admin closure) Content dispute, iron out on the article talk page.Beyond My Ken (talk) 04:33, 22 November 2016 (UTC)
The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.

There was a harsh overreaction by Jytdog (talk · contribs) on my talk page that I would like to kindly ask the user to refrain from repeating, and preferably have deleted from my talk page. It's not proportionate. I am aware that there are more users who feel bullied by this user and I would like to express my consideration for our common responsability of contributing to a positive Wikipedia. As for his sense of ownership of the article Craig J. N. de Paulo, which has been very hard to improve under his constrains (feel free to investigate its history), I don't really care anymore. It's fine, he may have it his ways completely with that article of his. I really just don't want to have him harassing my talk page. Thank you. Chicbyaccident (talk) 17:47, 21 November 2016 (UTC)

  • User:Chicbyaccident, did you add unsourced content and did you try to restore unsourced content? QuackGuru (talk) 18:58, 21 November 2016 (UTC)
  • If you add unsourced material to a BLP ([1]) you can't really complain when another user drops an {{unsourced}} template on your talk page. However, it does appear that this can be sorted out via discussion on the talk page, and is thus a content dispute and not something that WP:ANI needs to concern itself with. Black Kite (talk) 19:03, 21 November 2016 (UTC)
  • Admins usually consider unsourced content a "content dispute". We can change how Wikipedia works. How about if an editor repeatedly restores unsourced content they can be greeted with a short ban if they were previously warned to stop? QuackGuru (talk) 19:11, 21 November 2016 (UTC)
  • Chicbyaccident: I am sorry that you feel badly treated by the messages on your talk page, but they really are not harassment, and are standard practice at Wikipedia. Please feel free to simply delete any message that you do not want to keep on your own user talk page (but of course not anywhere else). It is perfectly acceptable to delete personal messages once they have been read, so you do not need to feel like those messages have to stay there. --Tryptofish (talk) 20:08, 21 November 2016 (UTC)
  • Broadly agree with all of the above. This is a perfectly acceptable response to adding unsourced content and edit warring. If you don't like it, don't do those things. Beeblebrox (talk) 22:13, 21 November 2016 (UTC)
  • just as a note, the relevant article Craig J. N. de Paulo is one of several in WP that are related to a shadowy world on the fringes of established churches (mainly Roman Catholic, Orthodox, and Anglican) populated by people who are obsessed with elaborate titles (and strangely, heraldry) who create whole fancy hierarchies for themselves to inhabit. WP is very fertile ground for them to build and "authenticate" these sand castles. User:Anglicanus kindly explained all that to me - he/she is one of WP's quiet laborers patrolling and keeping that stuff out of WP. The OP is the latest in a series of accounts that have sought to elaborate this article. Jytdog (talk) 22:56, 21 November 2016 (UTC)

The discussion above is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.

Patrolling without user right RfC[edit]

See this RfC clarifying whether editors without the new page reviewer user right may patrol new pages (in the sense of cleanup tags and deletion nominations). ~ Rob13Talk 12:19, 22 November 2016 (UTC)

Two-Factor Authentication now available for admins[edit]

Hi,

TOTP based two-factor authentication is now available for all administrators, crats, CU, and OS. I highly recommend you enable this from Special:Preferences - it provides an extra layer of security besides passwords. You can use an app on your phone like Google Authenticator to manage the codes, and if you don't have a smart phone, there are other alternatives that run on laptops. Please be careful and write down the scratch codes though - if you get locked out of your account because you lose your 2fa, it may not be possible to recover your account. I would appreciate if others could help disseminate this information to other admins/crats/CU/OS. I'll work on creating some documentation about this once I'm no longer scrambling. Thanks, Legoktm (talk) 15:14, 12 November 2016 (UTC)

Thanks, Legoktm, I assume that you're using it yourself now? ;) I've forwarded a link to this to the Functionaries email list as well. ​—DoRD (talk)​ 15:47, 12 November 2016 (UTC)
I'm passing it around the IRC areas, and letting my Commons colleagues know. Nick (talk) 15:56, 12 November 2016 (UTC)
Could @Legoktm: or somebody else please explain this in terms suitable for the stupider admin demographic? I see the link "Enable two-factor authentication" in my prefs, but I hesitate to click on it. Will something irreversible happen if I do? Will I have to remember and somehow use (?) my "scratch codes" (?) forever more? Bishonen | talk 16:23, 12 November 2016 (UTC).
Everytime you log on with a password you will also have to enter your 2FA code from your authentication device. The scratch codes are one time logon codes in case you loose your device. — xaosflux Talk 16:27, 12 November 2016 (UTC)
(edit conflict) Nope. I once clicked it on Commons, didn't activate it there, and opened a new browser (say, Firefox) and tried to log in there. Success. — regards, Revi 16:27, 12 November 2016 (UTC)
You said you didn't activate it? You have to activate it, then it should be active on all projects using central auth. — xaosflux Talk 16:34, 12 November 2016 (UTC)
Yes, I didn't activate it. (I'm replying to "but I hesitate to click on it. Will something irreversible happen if I do?" of Bishonen.) — regards, Revi 16:40, 12 November 2016 (UTC)
If you click on the link, there are still steps you have to go through to activate 2fa. It is also possible to deactivate it if you decide you don't want to use it. ​—DoRD (talk)​ 17:12, 12 November 2016 (UTC)
What happens when an user with 2FA enabled loose sysop/CU/OS/etc rights? Is 2FA still enabled? --Thibaut120094 (talk) 17:25, 12 November 2016 (UTC)
My understanding is that if a user loses their eligibility to use 2FA (e.g. by losing any and all groups that granted it to them) then it will remain enabled, but they will no longer be able to access the special pages for managing OATH, so they won't be able to disable 2FA. --Alex Monk (WMF) (talk) 18:32, 12 November 2016 (UTC)

This is good information, I suggest we massmessage the enwiki admins - will give it a day for any comments first; if anyone wants to help write up the massmessage text, feel free to drop a template below! — xaosflux Talk 16:36, 12 November 2016 (UTC)

What where and how is "my authentication device"? On my non-existent smartphone? I'm frankly not sure it sounds like something I want. I log in and out quite a lot [inexplicable coughing fit] and would rather not add extra hassle to the procedure. Anyway, I have a pretty strong password. And, while I respect WP:BEANS, is it known or suggested that the recent hackery attacked weak passwords? (Was Jimbo's 1234..?) Bishonen | talk 16:41, 12 November 2016 (UTC).
Just wait for the promised manual. You can get a bit of an idea by clicking on the link (nothing happens yet at that point - just do not click Submit).--Ymblanter (talk) 16:48, 12 November 2016 (UTC)
Thankfully, it cannot be activated accidentally. A code from the authentication app is required to complete the process. ​—DoRD (talk)​ 17:19, 12 November 2016 (UTC)

I notice admin socks apparently can't use it. (I don't have an "Enable two-factor authentication" link.) But shouldnt they be able to? Suppose somebody hacked me or Bishzilla and started making statements with our authority seemingly behind it. Unfortunate to say the least. darwinbish BITE 16:43, 12 November 2016 (UTC).

Striking out. You're not allowed in Wikipedia space! However, to be serious, is there a reason everybody can't have it? Bishonen | talk 16:45, 12 November 2016 (UTC).
There's currently phab:T100375 about the user interface of the feature, and open questions as to what the procedure might be for resetting accounts for users who lose their device and their one-time scratch codes. Anomie 18:17, 12 November 2016 (UTC)

It is written that we cannot lose our scratch codes, as the account cannot be restored without them. If we do lose them however, can't we identify ourselves to stewards, much like written in here? Bharel (talk) 16:54, 12 November 2016 (UTC)

You need a root DB user to do that. We stewards don't have such access. If I am right those single-use codes serve as TOPT tokens just in case you loose your token generator device. To prove the identity of an account, My guess is that I'd continue sticking to a committed identity. Corrections welcome. Regards, MarcoAurelio (talk) 17:22, 12 November 2016 (UTC)
If you loose your scratch codes and your 2fa device, and you can prove who you are beyond doubt (What "beyond doubt" means I'm not sure, but I guess committed identity is a good choice), then a developer will remove the 2fa from your account. However, please don't loose your scratch codes. BWolff (WMF) (talk) 17:58, 12 November 2016 (UTC)
The scratch codes are HOTP rather than TOTP, although the distinction doesn't make any difference to you as an end user. Anomie 18:17, 12 November 2016 (UTC)
It turns out I was wrong. The scratch codes are just random values saved in the database and checked against. Anomie 20:48, 20 November 2016 (UTC)

How does this work for people who are admins on another project, but not this one - will the TFA be global? Andy Mabbett (Pigsonthewing); Talk to Andy; Andy's edits 17:11, 12 November 2016 (UTC)

Presumably, with SUL, once activated on any project, it will be active everywhere. ​—DoRD (talk)​ 17:14, 12 November 2016 (UTC)
Yes it works globally and it is also available for admins on other projects. --Thibaut120094 (talk) 17:23, 12 November 2016 (UTC)
Yes. I activated on Commons, and when I was logging in to enwiki (where I don't have sysop bit) I was asked to submit. — regards, Revi 17:24, 12 November 2016 (UTC)

How will this work with WP:AWB? --Rschen7754 17:41, 12 November 2016 (UTC)

Good question. I've opened phab:T150582. Regards, MarcoAurelio (talk) 17:50, 12 November 2016 (UTC)
You can use BotPasswords for your own account to log on to AWB even if 2FA is active - not sure if this is a good thing or not, but you could use it to limit your AWB access to only what you need when using it. — xaosflux Talk 17:56, 12 November 2016 (UTC)
Longer term, AWB should either use OAuth or should switch to action=clientlogin. Anomie 18:17, 12 November 2016 (UTC)
+1 enabling OAuth for AWB is a great idea. — xaosflux Talk 18:20, 12 November 2016 (UTC)
  • Wanted page Help:Two-factor authentication - anyone with good experience in writing up Help pages :D — xaosflux Talk 18:07, 12 November 2016 (UTC)
  • Excellent news. I would also support mass messaging administrators about this. Are there plans for expanding access to all users sometime in the future? Mz7 (talk) 19:08, 12 November 2016 (UTC)
    I think that 2FA should definitely be extended to Edit Filter Managers as they can screw things up mightily as well. BethNaught (talk) 19:12, 12 November 2016 (UTC)

FWIW: This may be compromised email accounts (shared passwords possibly) - I got notice of a password recovery email that I did not initiate. — xaosflux Talk 19:24, 12 November 2016 (UTC)

@Xaosflux: Could we get that mass message sent out ASAP? More accounts are getting compromised, left and right... MusikAnimal talk 19:27, 12 November 2016 (UTC)
Make sure that the email account you use has two-factor set up on it as well... --Rschen7754 19:34, 12 November 2016 (UTC)
  • Awesome initiative! I suggest adding Board members, stewards, arbitrators, and soon propagate to other projects. Pundit|utter 19:54, 12 November 2016 (UTC)
  • I don't understand why us lowly users don't get access to this extra layer of security. Does this mean I need to go through an RfA, just so I can use 2FA? Doesn't sound quite fair.—cyberpowerChat:Limited Access 19:58, 12 November 2016 (UTC)
    @Cyberpower678: All in due time. They were/are working on it for everyone. It was rolled out early for people with advanced permissions in light of the circumstances. Once they have the infrastructure and the protocols to help the people who get locked out of their accounts (which will happen) it will be rolled out to everyone. --Majora (talk) 20:04, 12 November 2016 (UTC)
    Makes sense. I'm fortunately a sysop on the testwiki so I can activate mine from there.—cyberpowerChat:Limited Access 20:06, 12 November 2016 (UTC)

A good bit of the above would make a good start of a FAQ for the help page, if someone is interested in doing that. ​—DoRD (talk)​ 20:24, 12 November 2016 (UTC)

  • I wrote a quick blog post about this, corrections earnestly welcomed. Anyone else remember Tubgirl in the site notice in 2007? - David Gerard (talk) 20:23, 12 November 2016 (UTC)
    Talk:Main Page/Archive 98#Who the hell put encylopedia my ass on the page?????? 53 seconds I'll never forget. -- zzuuzz (talk) 20:29, 12 November 2016 (UTC)
    @David Gerard: In regards to your comment about fobs in your blog post - In the long term, we would actually like to support physical tokens as an option people could enable (e.g. U2F). See phab:T150565. BWolff (WMF) (talk) 21:02, 12 November 2016 (UTC)
    I'll add that then :-) It's useful that these days everyone carries a suitable token device around with them, of course ... - David Gerard (talk) 09:11, 13 November 2016 (UTC)
  • I have 2 questions. What to do if you lose access to appliction on your phone? And how to authorize via API if you have two-factor authorisation.--Anatoliy (Talk) 20:57, 12 November 2016 (UTC)
    • When you enable 2FA you are given a number of one time use codes to print out and keep in a safe place. If you loose both the app and these extra codes, you are then locked out of your account (Similar to if you totally lose your password and recovery email. If you can prove who you are, a developer can restore your account to you, but you must have strong proof). BWolff (WMF) (talk) 21:02, 12 November 2016 (UTC)
    • As for the API: You can use action=clientlogin for interactive login, or OAuth (preferred) or BotPasswords for automated login. Anomie 22:57, 12 November 2016 (UTC)
  • Question: Before someone complains, it note of the Google Authenticator used in the 2FA service "Previous versions of the software were open-sourced but subsequent releases are proprietary." Does anyone else feel we will get 'issues' because of that? I know it is only a service, but somehow it feels wrong to be closed source. --AlisonW (talk) 21:37, 12 November 2016 (UTC)
    You can use FreeOTP, which is fully open source, and available in free app stores like F-Droid. Legoktm (talk) 21:47, 12 November 2016 (UTC)
  • This is fantastic. It was very easy to implement for my own account. Great work! Mkdwtalk 01:35, 13 November 2016 (UTC)
  • Question/comments When I first read about this security layer on mailing list, I felt really interested. Now, I am not feeling that much interested. a) My main issue is I don't have a smartphone with scanning feature. Looks like I have to add those long codes manually. b) These tokens will never be shown again. -- I have not enabled it still, but everytime I am refreshing the page I am getting same 5 codes. Does it mean, these tokens will never be shown again after I enable it? c) I am using Google 2 Step Verification for many years now. I find it easier to use where they send code to your phone, backup phone, and finally you have an option to add recovery code. Anyway, thanks for enabling this feature. We needed better protection options/ --Tito Dutta (talk) 02:35, 13 November 2016 (UTC)
    The "never again" part: once you complete the enrollment you will never be able to retrieve those again; you don't add those codes - you would add manually the one code that is under the QR code to add mnaually. — xaosflux Talk 02:47, 13 November 2016 (UTC)
  • Shouldn't 2fa be available to bots? Compromised bots could do bad things which would not be easily noticed (because their edits are marked as a bot edit). And maybe also for filemovers, since they could easily vandalize a lot of pages with just one filemove (using a gadget). Pokéfan95 (talk) 02:52, 13 November 2016 (UTC)
    • 2FA does not make sense for bots, since the idea is to authenticate through separate systems, but a bot does not have separate systems. Bots are encouraged to use the bot password feature though. BWolff (WMF) (talk) 04:18, 13 November 2016 (UTC)
      • @BWolff (WMF): For the most part, bots should be using OAuth or BotPasswords already to limit their exposure, that is why 2FA for the main account shouldn't be an issue. Older bots that don't support oauth or botpasswords would have a problem trying to use 2FA though. — xaosflux Talk 04:19, 13 November 2016 (UTC)
        • Bots should use OAuth if possible. If it's not possible, any bot should be easily able to use BotPasswords simply by changing the password used for login in its configuration file. Anomie 23:57, 13 November 2016 (UTC)
  • Two-factor-authentication is a welcome addition, certainly. I'll echo-paraphrase a post above ... I don't have a smartphone at present. I'm wondering if this is 3rd-generation 2FA technology; most 2FA I've seen involves the use of text messages as the second factor for 2nd gen. 1st gen 2 factor is based on, like, RSA hard tokens or, more recently, soft token applications. I look forward to the manual which explains in less technical terms how to take advantage if you are not a smartphone user. Thank you for taking this forward - it is a step in the right direction. --User:Ceyockey (talk to me) 03:03, 13 November 2016 (UTC)
  • Google's 2-step verification is user-friendly and allows users to lock it onto their home PC so they can skip the dual stage, and only need to type in a password, though would continue to require two stage for any other machine. Wikipedia's 2-step is a little off-putting, and doesn't appear to allow locking onto a chosen machine, so two stage verification would always be needed, even on a secure home PC. I should image there would be a number of admins who would not be using Wikipedia's 2-step because it appears difficult to implement, insists on 2 stage verification every time, and would permanently lock you out of your account if you make a common human error of losing things. I think it would make sense to implement a more flexible and user-friendly two stage verification - even if that makes it slightly less safe. Better to have a 95% safe verification system that 100% of admins use, than a 100% safe verification system that only 5% of admins use. SilkTork ✔Tea time 12:30, 13 November 2016 (UTC)
  • Just a thought - is this going to be made compulsory for admins? If not, then I fear it might not help much, because those admins more conscious about security and more likely to adopt it are already more likely to be using more secure passwords that better resist brute-force attacks (which is very likely what's happened here). Those who aren't too hot on security and who are likely to be the ones with weaker passwords won't be as keen to adopt 2FA. (I've been involved in password security issues for a long time in one way or another, and my biggest lesson is that appealing to people to voluntarily do things better is usually doomed to failure.) Boing! said Zebedee (talk) 13:14, 13 November 2016 (UTC)
    • In the near future, it will not be compulsory for admins. In the long term - its a possibility. However, we will not do that without having an extensive discussion/rfc on wiki. BWolff (WMF) (talk) 19:29, 13 November 2016 (UTC)
      • OK, thanks. Boing! said Zebedee (talk) 23:14, 13 November 2016 (UTC)
        • It will probably become de facto mandatory for new admins by way of RFA question "will you commit to activating 2FA if successful". Stifle (talk) 09:58, 14 November 2016 (UTC)

I keep getting "Failed to validate two-factor credentials" when I hit Submit with the code from Google Authenticator and "Wikimedia:<my name>" .... anybody else having this problem? - DavidWBrooks (talk) 17:07, 13 November 2016 (UTC)

Did you use "Wikimedia:DavidWBrooks" or "Wikimedia:<my name>"? De728631 (talk) 18:04, 13 November 2016 (UTC)
"Wikimedia:DavidWBrooks" - not sure why I wrote it the other way. - DavidWBrooks (talk) 21:06, 13 November 2016 (UTC)
DavidWBrooks The name is actually just a label for your device, and does not actually "do" anything as far as I can tell (e.g. I enrolled a second device and put WikiPEDIA instead of WikiMEDIA, but still get the same codes). The two-factor secret key is important, check your entry for things like ZERO vs "O" mismatches. — xaosflux Talk 00:16, 14 November 2016 (UTC)
  • Why don't I have the option to receive an email when my password or other critical information has changed? That seems common sense for security. I don't use mobile devices as admin, so this seems to be a lot more pain than gain. A second "different" password would be simpler and more effective, particularly since uptake would be higher and the learning curve is zero. Dennis Brown - 19:52, 13 November 2016 (UTC)
  • It'd be nice to see this implemented for our bots as well, unless it already is and I missed the memo. «»Who?¿? 23:53, 13 November 2016 (UTC)
Scratch last, I missed the topic where it was covered above. «»Who?¿? 00:02, 14 November 2016 (UTC)
  • What about us admins who don't have smart phones (call me old-fashioned but I have a phone for phoning, a camera for taking photographs with, and a laptop for computing). I'm pretty sure that my password is secure. Should there be any attempt to force admins to use this, I for one will be voicing my opposition to such proposal. Mjroots (talk) 16:12, 14 November 2016 (UTC)
    • There are ways to run 2FA apps on a standard computer (though this can weaken the security model 2FA is meant to support). Chrome users can run the GAuth addin; it is possible to get an Android virtual machine on Windows to run the android-based Google Authenticator app within it. There's probably more similar methods too. --MASEM (t) 16:32, 14 November 2016 (UTC)
      • You can also run a 2FA app on a standalone tablet, and presumably someone's written a version for a laptop or desktop. --Carnildo (talk) 03:35, 15 November 2016 (UTC)
        • There's also totp-me for feature phones that can run J2ME applets. Anomie 13:17, 15 November 2016 (UTC)

Update: People in the Edit filter managers group can now also enable 2FA. BWolff (WMF) (talk) 20:25, 14 November 2016 (UTC)

Quick question : does enabling 2FA mean it is reasonably safe to log into an administrator account on a public PC, such as in a library, school or airport? I know many admins have alt accounts specifically for this purpose? Ritchie333 (talk) (cont) 13:34, 16 November 2016 (UTC)

@Ritchie333: I suppose as long as you don't select Keep me logged in or if you explicitly log out you should be safe from having someone log in, as they will be presented with the 2FA challenge (more on that). However, I think the main reason admins are twitchy about logging into public computers is the possibility of keyloggers/other unsavoury software making a record of your password. It's still not the best idea, but it is slightly safer -- samtar talk or stalk 13:42, 16 November 2016 (UTC)
Hmm. Recent account compromises suggest that many admins are following security practices significantly worse than logging into shared computers. If the computer was maliciously controlled, the attacker could steal your session cookie and then continue using your account on other computers (This applies regardless of if you check the remember my password. In fact, since the computer is not yours, someone could have modified it to always check the box even without it being shown as checked). Of course the counter argument, is probability wise, how likely is it that someone has modified that computer, and cares about your wikipedia account (As opposed to people's bank accounts)? Someone could also modify the computer to record your password (2FA would mean that they can't use that password to log in, but attacker having your password is in a significantly better position than one without your password, even with 2FA enabled). I would recommend against logging in on shared computers if your account is sensitive. If you do ever log in on a shared computer, you should probably at a bare minimum have 2FA enabled and be browsing in "incognito" mode, which will make you mildly safer, but ultimately not that much safer. BWolff (WMF) (talk) 15:45, 16 November 2016 (UTC)

Mass message draft[edit]

I've drafted a short message that could be sent out to administrators. @Xaosflux and MusikAnimal, and others, do you have any additional suggestions?

If all looks well, I can send it out shortly. Mike VTalk 19:54, 12 November 2016 (UTC)

What is "TOTP"? Jo-Jo Eumerus (talk, contributions) 19:57, 12 November 2016 (UTC)
@Mike V: I would also add the recommendation to enable 2FA on their email account, if possible. The issue here as I understand it is they're getting passwords that were leaked from other sites, so we should make sure our admins know to use a unique password for their WM account and their email account MusikAnimal talk 19:58, 12 November 2016 (UTC)
@Jo-Jo Eumerus: TOTP is short for Time-based one-time password. In a nutshell, to log-in you enter your password and an additional code that changes frequently (usually every 30 seconds). @MusikAnimal: After, ... your account will not be recoverable. I could add "Furthermore, you are encouraged to utilize a unique password and two-factor authentication for the email account associated with your Wikimedia account. This measure will assist in safeguarding your account from malicious password resets." Mike VTalk 20:09, 12 November 2016 (UTC)
Sounds good :) Thanks! MusikAnimal talk 20:10, 12 November 2016 (UTC)
OK, the message has been successfully sent to those on this list. Mike VTalk 20:42, 12 November 2016 (UTC)
  • "Authentication device"? I don't use apps and am liable to change computer at a moment's notice. Also I edit from different IPs at times. I don't use a smartphone for anything much online except finding out where 'here' is, and how to get 'there'. (In fact, a lot of my phone use is done on a stupidphone...) My password at WP isn't used anywhere else, and nor is my email PW. If someone will give me a link for this confirmation of identity thing, I'll do that, but I think I'm more likely to lock myself out using this other thing. Peridon (talk) 21:01, 12 November 2016 (UTC)
    @Peridon: Full instructions for creating a committed identity are in the template documentation for Template:Committed identity. In short, you take a bunch of non-public verifiable information about yourself, turn it into a random string using a cryptographic hash function, and then post it on your userpage. If you ever need to confirm that you are the same person who put the committed identity on your userpage, you would send the information to a trusted user, who would put it through the same hash function and compare the results. -- AntiCompositeNumber (Leave a message) 21:22, 12 November 2016 (UTC)
@AntiCompositeNumber: Thanks for that - I'll look into it tomorrow, As to the other thing, I hope that by then someone will have a definitive version of what it's about in language that people like Bishonen and I can understand. And I too don't trust a Google involvement. I haven't got a password with them, and I don't intend to give them one. Peridon (talk) 22:08, 12 November 2016 (UTC)
  • I just set up 2FA after my account got compromised earlier today. Much easier than I expected, in fact! Thanks. --AlisonW (talk) 21:09, 12 November 2016 (UTC)

Whenever I have implemented two-factor authentication in the past, I've always done it by providing my phone number. Is there a reason why this is being done by Google Authenticator? I don't use my phone to log in. I log in from a laptop. The impression I get from the Google Authenticator article is that you have to be logging in from the mobile device. Or will logging in from any device generate a code sent to your phone? I am sure that is what actually happens, but am double-checking here first, as the Wikipedia article is not clear, has a 'citation needed' tag, and shouldn't be relied on anyway... Carcharoth (talk) 21:35, 12 November 2016 (UTC)

@Carcharoth: Sites such as Yahoo Mail that send you a code via text message, that you use to login, are simply inplementing the same 'standard' without requiring you to generate the codes locally. You can actually configure a code generator for Yahoo Mail, and it will produce the same codes that they send you by text. Google Authenticator is simply one 'implementation' of this software... any compliant generator will work (I use the Amazon one). Reventtalk 21:40, 12 November 2016 (UTC)
Thank you. My concern is that the Google Authenticator requires Android 2.1 or higher to be installed. I have recently had a problem with upgrading What's App on my phone, and the upgrade process keeps failing. I wouldn't want to be locked into relying on upgrades on my phone to the Google Authenticator app to be able to access Wikipedia. To be clear, can the process of generating codes be transferred from device to device if one of them fails for some reason? Carcharoth (talk) 21:44, 12 November 2016 (UTC)
@Carcharoth: TOTP code generation is dependent on the 'account name', 'secret key', and 'time of day'. You can simultaneously generate identical codes on any number of programs or devices if configured with the same information. Print out the 'enable two-factor authentication' page, with that information, and secure it physically... you can then use it to configure a new device. Reventtalk 21:50, 12 November 2016 (UTC)

Just to make this clear to people, since there seems to be a widespread misunderstanding. You do NOT need a smartphone to use this, you merely need a TOTP code generator. There are physical devices that do this, Windows and MacOS applications, and multiple addons for Google Chrome. The 'manual' configuration information displayed on the confirmation page, where your scratch codes are located, can be used to configure any number of devices/programs to produce the codes... any properly configured TOTP code generator, with a synchronized clock, will produce identical and synchronized codes. If you lose your device, but still have the configuration information, you can configure another one to produce a valid code (though your login is no longer secure, since you no longer possess all copies of your code generator). Reventtalk 21:37, 12 November 2016 (UTC)

Does that mean you can generate codes on the same device that you use to login with? That is a security hole, surely? THe whole point is to separate this between different devices, isn't it? Login on one device. Get authentication codes on the other device. But then many people log in from all devices these days. Carcharoth (talk) 21:47, 12 November 2016 (UTC)
@Carcharoth: You 'can', but obviously should not. Reventtalk 21:52, 12 November 2016 (UTC)
(e/c) Yes. Remember that you still need access to that actual device in that case. Whereas before you did not. That is an extra barrier. It's even better if you use two devices, but it's not the most important aspect of 2FA. 2FA is about "something you know" (password) AND "something you have" (a unique key on a device). Having just one iis not enough. That's what makes it safer than just the password. —TheDJ (talkcontribs) 21:56, 12 November 2016 (UTC)
  • Just enabled it and it seems to work just fine. Also for the many people using the word "loose" above, it's actually "lose". Jauerbackdude?/dude. 21:46, 12 November 2016 (UTC)
  • So, let's see.. "experimental", "must have an app", "Google <whatever>", "scan a QR code" " if <this and that> you will totally be locked out of your account". Other than be being insane, why would I want such a thing? I do not have a smartphone (yes I read that we do not need one, still...), I do not trust "Google <whatever>" to have anything to do with my passwords or anything (yes, I do use some Google stuff, but the less the better), I do not trust Wikimedia if you're pushing me into Google arms either... What "recent events"? All my passwords are unique and pretty much scrambled ones. Why should I use a Google thingy that will eventually lock me out? (I am not saying I will not, I am saying the current information scares me more of the TOTP - starting from using weird acronyms on messages... - than from any hacker :) - Nabla (talk) 21:54, 12 November 2016 (UTC)
@Nabla: "Google Authenticator" is just one software implementation of this. You can use Microsoft Authenticator, if you want, or any other TOTP code generator (including an open source one). They will all produce identical, synchronized codes if properly configured. There are 'keychain' devices as well, though they tend to suffer from time drift and have to be resynchronized. The protocol involved is an IETF standard, not a Google product. Reventtalk 21:59, 12 November 2016 (UTC)
Thank you, Revent. I appreciate you trying to help. I hope you understand that replying with a few more "weird words", helps little :-) 'keychain' devices? IETF standard? Can't technical people talk in a way that only-mildly-technical people like me understand? :-) Please do not take me the wrong way, I know you and others mean well, but the current explanation is simply too strange. Damn... I use two-factor authentication already, to access my bank online, and it is way simpler than this. Or at least it feels like simpler, maybe is just the explanation that is still making things too complicated. I would suggest a couple of improvements for the help page. A simple one: the link to "others" links to a non existing page (named Google something - so the alternatives to Google are... Google, so the help pages says :-) or not). A not so simple one: provide step by step instructions on how to set it up without a smartphone. I presume quite a few people will not do something that may block us out, unless we are mostly sure it will work. Again, thanks for the effort, please keep improving it - Nabla (talk) 22:23, 12 November 2016 (UTC) PS: Went to check the activation page. It states "Step 1 - Download a mobile app for two-factor authentication (such as Google Authenticator) on to your phone." If there are alternatives, please someone explain them. Weird as it may seem not everybody has a smartphone... - Nabla (talk) 22:31, 12 November 2016 (UTC)
@Nabla: TOTP = Time-based One-time Password Algorithm. IETF = Internet Engineering Task Force.
A 'keychain device' would be a phy