Compromise of two administrator accounts prompts security review

On November 4, in a protest against Wikimedia security practices, agrey hat hacker compromised the accounts of the administratorsSalvidrim! andOhanaUnited and, from those accounts, posted twomessages to thebureaucrats' noticeboard requesting immediate desysopping of those accounts.

The hacker claimed responsibility for the breach onReddit[1], criticizing thestatus quo of security on Wikimedia projects:

Countless usernames, emails and plain text passwords of Wikipedia accounts are listed in the data breaches, including accounts with CU/OS permissions. One that stood out was that of a former arb and WMF staff member whose same password was listed on multiple dumps. I also came across login details for multiple emails ending with @wikimedia.org, recognized some as having developer access. FWIW, they all had mostly strong passwords, although it hardly matters if they use the same password on WP. Now, I didn’t try logging into any of these to check if they work or not. The only reason I tried logging into these two accounts is because I recognized them as familiar admin accounts which had numbers as passwords and I was convinced it wouldn’t give me access. Once it did, I only had two options, either post to BN or forget about it. Had I reported it to Arbcom or privately, it would have been swept under the rug.

For all we know, people have been accessing admin accounts with impunity for years without anyone knowing. Nothing short of a forced reset for passwords on all privileged accounts is going to solve this.

I didn’t comb through the data further nor do I intend to - but that does not mean others won't.

— cwmtwrp

Although both administrators were able to regain access to their accounts, editors nonetheless raised concerns about account security on Wikipedia and Wikimedia projects. Some ideas were raised at the noticeboard discussion, including password complexity requirements and identifying privileged accounts with weak passwords. One day later, after consultation with the Wikimedia security team,Worm That Turned opened aRfC to review thestatus quo of security and to receive proposals on how to strengthen account security.

• BASC motions: On theArbCom motion request page, two motions were proposed relating to theBan Appeals Subcommittee (BASC). The former motion proposed narrowing the scope of BASC to functionary blocks and blocks unsuitable for public discussion, and the latter motion proposed disbanding BASC altogether.
• WP:NOTHERE as a blocking rationale: A few weeks ago,Doc9871 added"not here to build an encyclopedia" (WP:NOTHERE) toWikipedia:Blocking policy as a suggested rationale for blocking. Concerned with the page's essay classification,Staszek Lem reverted the addition. ARfC was opened on whether 'NOTHERE' should be added as a suggested rationale. Some also suggested promotingWP:NOTHERE to a guideline or a policy.
• Poetic militancy: An editor hasproposed banning the promotion of violent acts ("poetic militancy") on user pages as apolemic.
• RfA reform, again: Started byBiblioworm "to move past the disorderly and spontaneous discussion [on RfA reform]", the2015 administrator election reform project is the most recent in many attempts to reform the requests for adminship process. Aimed at identifying the issues with RfA, thefirst RfC was closed very recently; reception has been mixed on most proposed issues, but most agree that RfA needs more participants and that RfA subjects candidates to a less-than-friendly environment.