Wikipedia:Wikipedia Signpost/2005-06-06/Password security

An old list of accounts with matching passwords was deleted last week after its existence prompted an extended discussion on Slashdot. In the aftermath of this debate, the developers took advantage of server maintenance downtime to upgrade password security.

The page in question, User:Tim Starling/Password matches, was mentioned on Slashdot on 29 May in an anonymous comment in a separate discussion about the security weaknesses of places that use email addresses as user IDs. The gist of this posting was resubmitted and appeared two days later as a separate news item on the site, resulting in a sometimes heated debate about the appropriateness of this practice.

Why it existed in the first place

Developer Tim Starling had actually created this page back in July 2004, in an effort to identify people who were using multiple accounts in a disruptive fashion. Passwords on Wikimedia sites are stored using a hash function, so Starling determined which passwords were identical by running a query to find accounts with matching password hashes.

The page did not publish any of the actual passwords, only the accounts that matched. Starling has indicated that he only listed accounts having the same password as "the few most active trolls on Wikipedia at the time." The largest group identified was those matching the password being used by Lir, who at the time was involved in an arbitration case dealing with his misuse of sockpuppet accounts.

Even at the time, the use of this tactic in uncovering sockpuppets proved controversial, and the page was nominated for deletion. It had survived this process, although once the Slashdot story was published Erik Möller replaced it with a brief message of explanation. The list itself continued to be accessible thru the history function until developer Brion Vibber learned of its continued existence and promptly deleted the page, replacing it with a copy of Möller's message.

The primary concern was that some of the accounts might belong to different people, and if so this meant that publishing the list had automatically disclosed their password to anyone else with accounts in the same group. Möller reported that at least one of the accounts listed was a legitimate user, Perrak, who is actually an administrator on the German Wikipedia. It was also pointed out that the page might reveal accounts that had weak passwords and could be vulnerable to guessing. In fact, the password for one group of accounts in the list was discovered to be "troll", so these had to be changed.

Adding salt to store passwords

Many of the arguments initially raised in the deletion debate reappeared in the discussion on Slashdot. The easiest way to address the privacy concern mentioned was to use a salt, which is a random string of values added to the password hash, so that otherwise identical passwords do not match each other. Starling has also said he would not use this tactic again, which if repeated would violate the recently adopted privacy policy.

According to Vibber, MediaWiki has had support for salted passwords for a long time, but this had not been applied to Wikipedia because this would render existing (unsalted) passwords inoperative. The code for adding salt to the password hashes was actually one of Starling's first contributions to the software. To correct the situation, during some downtime for server maintenance on Wednesday Vibber ran a database query that upgraded existing password hashes to add the salt.

Afterward, a few users did report that their passwords were no longer working, possibly due to a glitch in the upgrade. After investigating, Vibber said he believed the problem was traceable to having used the "email me a new password" feature without then changing the password. Apparently, the new passwords in those cases were not updated, so the operation was performed again for accounts that might be affected.