Jump to content

Wikipedia:Bureaucrats' noticeboard: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
Requesting desysop: new section
Line 158: Line 158:


In September [https://en.wikipedia.org/w/index.php?title=Wikipedia:Bureaucrats%27_noticeboard&diff=prev&oldid=679710705 I asked] that the admin tools be removed from my account while I was travelling overseas in case anything went wrong from using shared internet connections. I've now returned home and would appreciate it if my access to the tools could be reinstated. Thanks, [[User:Nick-D|Nick-D]] ([[User talk:Nick-D|talk]]) 02:49, 12 November 2015 (UTC)
In September [https://en.wikipedia.org/w/index.php?title=Wikipedia:Bureaucrats%27_noticeboard&diff=prev&oldid=679710705 I asked] that the admin tools be removed from my account while I was travelling overseas in case anything went wrong from using shared internet connections. I've now returned home and would appreciate it if my access to the tools could be reinstated. Thanks, [[User:Nick-D|Nick-D]] ([[User talk:Nick-D|talk]]) 02:49, 12 November 2015 (UTC)

== Requesting desysop ==

Given the recommendations that have been made to me, I voluntarily lay down my adminship, recognizing that I will need to make a new request for adminship in order to have a chance at becoming an administrator again. I understand that becoming an administrator again in the future will not be automatic upon reapplication. [[User:Neelix|Neelix]] ([[User talk:Neelix|talk]]) 19:14, 12 November 2015 (UTC)

Revision as of 19:14, 12 November 2015

    To contact bureaucrats to alert them of an urgent issue, please post below.
    For sensitive matters, you may contact an individual bureaucrat directly by e-mail.
    You may use this tool to locate recently active bureaucrats.

    The Bureaucrats' noticeboard is a place where items related to the Bureaucrats can be discussed and coordinated. Any user is welcome to leave a message or join the discussion here. Please start a new section for each topic.

    This is not a forum for grievances. It is a specific noticeboard addressing Bureaucrat-related issues. If you want to know more about an action by a particular bureaucrat, you should first raise the matter with them on their talk page. Please stay on topic, remain civil, and remember to assume good faith. Take extraneous comments or threads to relevant talk pages.

    If you are here to report that an RFA or an RFB is "overdue" or "expired", please wait at least 12 hours from the scheduled end time before making a post here about it. There are a fair number of active bureaucrats; and an eye is being kept on the time remaining on these discussions. Thank you for your patience.

    To request that your administrator status be removed, initiate a new section below.

    Crat tasks
    RfAs 0
    RfBs 0
    Overdue RfBs 0
    Overdue RfAs 0
    BRFAs 9
    Approved BRFAs 0
    Requests for adminship and bureaucratship update
    No current discussions. Recent RfAs, recent RfBs: (successful, unsuccessful)
    It is 22:48:44 on November 10, 2024, according to the server's time and date.


    Compromised accounts

    • Account compromised. Please desysop. Login details for millions of accounts from various data breaches have been readily available in the public domain for months now. A small list can be seen here. If you use the same password across multiple websites including Wikipedia, your account might have already been compromised. Please force a password reset for all admin and functionary accounts across wikimedia projects immediately. Salv, sad to see an admin account with both UTRS and OTRS access using a 6 digit number as password.  · Salvidrim! ·  08:28, 4 November 2015 (UTC)[reply]
    • Posting from another admin account to show how widespread this is. Please use a different password for your Wikipedia account, especially if you are an administrator or a functionary. WMF, at the very least consider implementing 2FA for accounts with advanced permissions. Meanwhile, desysop this one and CU other admin accounts to check for any unauthorized access. I assure you, there is no malicious intention on my part, just letting y’all know about this in the most effective way. OhanaUnited, please don't use your dob as your password - anywhere. OhanaUnitedTalk page 08:33, 4 November 2015 (UTC)[reply]
      I have temporarily blocked these two accounts, and will desysop IAR if I see any admin actions from either. I've notified Arbcom with a view to a level 1 temporary desysop. WormTT(talk) 08:48, 4 November 2015 (UTC)[reply]

    I have desysopped both accounts. If there are consequences for not waiting for the go ahead from ArbCom so be it. My reason for desysopping straight away is that these accounts have now been exposed to the world as compromised, with information provided about their passwords and hints about how to find them. The person who did so (thanks for bringing this to our attention) does not say that they changed the passwords, which means that anyone can still log into them and (at the very least) view deleted edits, which is not acceptable. WJBscribe (talk) 09:01, 4 November 2015 (UTC)[reply]

    Follow up

    I believe that when we last had a crop of compromised accounts (4 back in May 2007 as I recall), the developers ran a password cracker over all admin accounts to identify those with weak passwords. It sounds like we should do that again. I also think we should consider sending a talkpage message (and possibly email) to every admin reminding them of the need for a secure password, and asking them to change their password to one they do not use on other websites. WJBscribe (talk) 10:14, 4 November 2015 (UTC)[reply]

    I would support this, definitely. WormTT(talk) 10:15, 4 November 2015 (UTC)[reply]
    I've dropped Maggie a line about the password cracker idea, happy to take point on that if someone else can follow up on the reminders. WormTT(talk) 10:24, 4 November 2015 (UTC)[reply]
    Agreed and agreed. --Dweller (talk) 10:19, 4 November 2015 (UTC)[reply]
    All functionaries have been notified to change their passwords as they get the email. -- Amanda (aka DQ) 10:27, 4 November 2015 (UTC)[reply]
    Agreed. I can't believe that there are admin accounts with 6 digit passwords... Sam Walton (talk) 10:38, 4 November 2015 (UTC)[reply]
    I would argue against running a cracker on the password file. It's a personal privacy breach and poor security protocol. After a breach like this a better plan would be to expire the Wikipedia passwords and require strong password replacements. It's never a good idea to create the very index that hackers want to see especially if the concern is multi-site that WP can't control (i.e. Wikipedia secures an admin account by exposing his bank account). It would be rather embarrassing as well as a liability if Wikipedia's crack program exposed editors third-party passwords in any fashion, even internally. --DHeyward (talk) 10:42, 4 November 2015 (UTC)[reply]
    I don't think it is a personal privacy issue. A password is revealed to Wikipedia when you create an account with it, it is not private information. If the same party you revealed it to attempts to guess it for their internal security that is not an invasion of your privacy, it is the organization protecting itself. I think you will find it a fairly common practice for anyone with advanced permissions to have their password audited in most organizations. HighInBC 15:49, 4 November 2015 (UTC)[reply]
    If you have to run a cracker on it, it's private. If the concern is that it's used in multiple places, it's private. It should be treated much more guarded than a SPI investigation and checkuser logs. The assertion is that they are used in more than one place. If you're concerned that "JohnDoe" used the same password at his bank that he used at Wikipedia, it is not helping by finding his clear text password and just fixing the Wikipedia account. It's exposure that need not happen. Dragging out the password file is asking for trouble when there are ways to correct the problem that don't involve cracking. Auditing is important as well.--19:36, 4 November 2015 (UTC)
    How about a forced new system which won't accept a password if it does not contain atleast one "caps" word and one "number" with no less than 8 characters...simple solution no?--Stemoc 10:46, 4 November 2015 (UTC)[reply]
    @Stemoc: Note that those requirements (Capital, digit, lower case + weird character, 8 minimum) are not really the strongest type of passwords, you end up with passwords like: Banana1! (the location of capital, number and character are often the same), besides that those passwords are harder to remember (causing people to write them down somewhere). Strong passwords are easy to remember but lengthy. Using a sentence or set of random words is optimal (bananacookietablecoffeeexception, 5 words to remember for you, but difficult to crack due to length). Basvb (talk) 13:49, 4 November 2015 (UTC)[reply]
    XKCD saying the same WormTT(talk) 13:56, 4 November 2015 (UTC)[reply]
    Where do you think I got it from? However a minimum length for passwords is a good idea, I just created an account with "1" as password, that is a bit too short imo. Basvb (talk) 14:24, 4 November 2015 (UTC)[reply]
    Re: bananacookietablecoffeeexception, Hey, how did you guess my password? ~Awilley (talk) 20:44, 4 November 2015 (UTC)[reply]
    I'm all in favour of WMF trying to brute-force the password hashes, as they did before. However, let's remember the problem on this occasion is not the short passwords per se, but using the same password elsewhere. A request to change your password again, for this was done relatively recently, should really stress this point. -- zzuuzz (talk) 10:47, 4 November 2015 (UTC)[reply]
    How about instead of doing all this password changing and brute-force attacks, the WMF just implement two-factor authentication for all those with syop flags. That should solve a lot of issues. --Stabila711 (talk) 11:04, 4 November 2015 (UTC)[reply]
    I've always been in support of adding 2FA (opt-in at the very least), and so is the community. Sam Walton (talk) 11:10, 4 November 2015 (UTC)[reply]
    All the password complexity requirements in the world aren't going to jack when you use the same password elsewhere, and Adobe someone flubs it due to poor database security and security design. 2FA should be mandatory for all advanced permissions holders, and optionally available to anyone else that wants to use it. Lankiveil (speak to me) 11:15, 4 November 2015 (UTC).[reply]
    It seems like the 2FA Phab task is at the bottom of a big pile of CentralAuth related requests. Sam Walton (talk) 11:22, 4 November 2015 (UTC)[reply]
    Tbf, its not like their "wikipedia" accounts were hacked, no need to strengthen the WMF servers just because both users used the same pass for their wiki as well as for another site where the hacking was carried out...As of now, all i can recommend is for all Canada based users to change their passwords as both users were from canada so it was something they both are part of in canada which was hacked--Stemoc 11:26, 4 November 2015 (UTC)[reply]

    Maybe another approach would be to require all admins to certify: (i) that they have a password that meets certain minimum complexity requirements; and (ii) that the password is not used for anything else. It could be understood that if the certification proves untrue, accounts will be permanently desysopped and admins will need to pass a fresh RfA to regain them. A page could be created for admins to signs within a period of time (say 2 months) for admins to sign the page. After 2 months, admins who haven't signed would be temporarily desysopped until they sign up. Is that going too far? WJBscribe (talk) 11:31, 4 November 2015 (UTC)[reply]

    That's too far away, I think. You cannot prove the truth of it. — regards, Revi 11:35, 4 November 2015 (UTC)[reply]
    I can't say I like that idea, it seems very reactionary - when it comes down to it, there's only so much damage an admin can do. This was dealt with quickly, and would have been dealt with even faster if there had been any visible abuse of the admin tool. There's a big difference between recommending a course of action and enforcing one in this manner. The last thing I want to do is discourage people from signing up to be an admin, and something like that might. WormTT(talk) 11:39, 4 November 2015 (UTC)[reply]
    Concur: hackers thieves and vandals who get passwords are fair more likely to be going after banks and online vendors that Wikipedia, and only admins who have been declared their real world identification would be vulnerable even if their password was in the wild. Do we know if wikimedia software detects multiple failed login attempts? NE Ent 11:50, 4 November 2015 (UTC) updated NE Ent 12:09, 4 November 2015 (UTC)[reply]
    I'm positive you didn't mean any harm, Ent, but Eric S. Raymond would not like you referring to these people as "hackers", [2] and I don't really either. Ritchie333 (talk) (cont) 12:05, 4 November 2015 (UTC)[reply]
    IIRC, there is ratelimiting preventing login if you fail to login for few times from given IP address for a given period of time. I don't remember the specific rules, though. — regards, Revi 12:18, 4 November 2015 (UTC)[reply]

    I just saw the note on AN. For what it's worth, on other sites where I have been an admin or mod, we ran password cracking utilities and any staff member that came up positive got 2 days to change it. If they didn't, they would be banned until a) they told us they changed it and b) a crack was unsuccessful. Standard procedure, if you ask me. I would recommend anyone who comes up with a bad password to be identified by email, NOT talk page (the last thing you want is people looking and thinking "ooh, easy admin account to crack!") As for "there's only so much damage an admin can do" - well I don't think there's any technical reason an admin can't unblock JarlaxleArtemis or undelete any amount of G10 attack pages so they can be copypasted elsewhere on the net, and while no admin would normally do that, a compromised account who doesn't care about desysopping much is like a bull in a china shop and can scare editors away really quickly, who'll then require some serious diplomacy to win back. Mind you, think of how much damage a compromised 'crat or steward account can do! Ritchie333 (talk) (cont) 11:52, 4 November 2015 (UTC)[reply]

    • The real danger is in unlogged actions. A compromised admin account could quietly read deleted content that may compromise privacy and nobody would ever notice. As an admin I see deleted private info ranging from names to credit card numbers before oversight gets to it. We can't assume that a compromised admin account would be evident. HighInBC 15:55, 4 November 2015 (UTC)[reply]
    Both accounts seem to be globally locked. Anyways, one of them was a crat on Wikispecies, and an ORTS member. That is terrible. But even brute force won't help if the password is strong by itself, but used on another side with a security leak. Those cases of bad security will most likely not be found out until it is too late.--Müdigkeit (talk) 13:10, 4 November 2015 (UTC)[reply]
    • 2FA is the obvious solution that most environments serious about security have already implemented. Wikipedia has taken the "just good enough" approach to security long enough. We used to not even use SSL on the login page. Add the option to upload a PGP public key and require that a simple challenge be passed on each login. You simple encrypt a random string to the user's key and demand that they repeat the decrypted version back. Simple to program and incredibly effective. HighInBC 15:51, 4 November 2015 (UTC)[reply]
    Whatever it is, I take a moment to commend the work done by the unknown third party who has faithfully notified BN about this. Whoever you are, if you are seeing this, Wikipedia appreciates your work and is in debt. Thanks—UY Scuti Talk 17:12, 4 November 2015 (UTC)[reply]
    • EMail Many admins are not even email enabled as it not required by policy .Hence no email can be sent even in situations like this. User:OhanaUnited does not appear to have enabled the email option (He could have one without the Enable email from other users option in preferences which I do not know). Now if checkuser information is not available and without email access it may became complicated to confirm. Do think every admin should have email even if for privacy or harassment they do not allow users to email them by not choosing Enable email from other users option.Pharaoh of the Wizards (talk) 20:07, 4 November 2015 (UTC)[reply]
    • However, they are an OTRS agent, and that is linked to an e-mail address, so that could be a way to possibly verify identity. They also have a committed identity key.  · Salvidrim! ·  20:31, 4 November 2015 (UTC)[reply]

    Recovery

    The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


    This is Salv, from an alt. I have successfully gotten a password reset but until my account is no longer globally locked, I cannot login with the temporary password in order to change it to a new random (longer this time) string I've had at least one arb text me and I'd be more than happy to speak with anyome anywhere on the phone or elsewhere if someone needs more confirmation. I'm off to work now but I'll comment morr at length on Wikipedia security as soon as I have some time to sit down and collect my thoughts. Salvidrim (talk) 13:22, 4 November 2015 (UTC)[reply]

    If the Arb who you are in contact with can email me to confirm they are happy you are in control of your account via WP (or any other Steward) then someone will unlock your account. QuiteUnusual (talk) 14:48, 4 November 2015 (UTC)[reply]
    The Arb in question (DQ, if you must know) may not be available quickly, so I've e-mailed the stewards list and remain available to confirm my identity with any other available arbitrator. The only one who could currently access the Salvidrim! account (if it wasn't globally locked) would be myself, with the temporary password I've had reset and which is sitting in my e-mail. I can't take of a better way to prove it than with my sweet, angelic face (it's been a rough morning). :) Salvidrim (talk) 15:19, 4 November 2015 (UTC)[reply]
    What a nice picture. Based on various convincing evidence I've unlocked the account - thanks. QuiteUnusual (talk) 15:32, 4 November 2015 (UTC)[reply]
    I've unblocked - feel free to serve seafood if I've done this out of process, but I think a steward's confirmation and global unlock should be okay, right? Ritchie333 (talk) (cont) 15:37, 4 November 2015 (UTC)[reply]
    I was just chatting to Salvidrim off wiki to double check - would rather he'd have confirmed he was back in control (he couldn't reset the password due to the locked account) before we did it, but I'm sure we'll be fine and he'll shout out if he doesn't get control back. WormTT(talk) 15:41, 4 November 2015 (UTC)[reply]
    (edit conflict)Thanks... I guess? ;) I can confirm I am back in control of my account and have obviously changed the password for something that is more in line with my current personal-password-policy. The next step is for ArbCom to give their greenlight as far as resysopping goes, and then I'll have to get my UTRS and OTRS accounts reactivated (they were shut down preventively but they already had different passwords anyways).  · Salvidrim! ·  15:39, 4 November 2015 (UTC)[reply]
    It would suck even more if ArbCom said this was a cloud desysop and you could only get it back through an RfA. That would be icing on the cake. :p—cyberpowerChat:Online 15:46, 4 November 2015 (UTC)[reply]
    This has happened before. If I remember correctly that bit was not automatically given back due to failure to secure their admin account. I am not sure if this is what is going to happen this time though. HighInBC 15:57, 4 November 2015 (UTC)[reply]
    Restoration of adminship only was denied when it was impossible, due to the passage of time, to verify that the person claiming to be the ex admin was in fact him. Where the identity of the person was confirmed, and of course the change to a better password was also confirmed, adminship has always been returned. Newyorkbrad (talk) 19:12, 4 November 2015 (UTC)[reply]
    Good. HighInBC 22:41, 4 November 2015 (UTC)[reply]
    In any event, I have changed my Wikipedia password to something completely random, that I can no longer remember.—cyberpowerChat:Online 15:48, 4 November 2015 (UTC)[reply]
    Make sure you change your email passwords too. Especially if they are similar to the passwords you used on other sites. I know it's a pain, but that is a way to gain new passwords. Dave Dial (talk) 16:00, 4 November 2015 (UTC)[reply]
    I'm going to be creating random passwords for all of my important accounts that I usually only access on a single set of devices.—cyberpowerChat:Limited Access 16:05, 4 November 2015 (UTC)[reply]
    My e-mail password is basically the key to me entire life so it's literally the most secure thing I own -- the actual password is encrypted using SHA-2 from a secret, random string that is committed to memory (took me a week of constant mnemonic training). ;)  · Salvidrim! ·  16:09, 4 November 2015 (UTC)[reply]
    Salvidrim!, it's still unclear to me how this all started and how you gained control of OhanaUnited's account. I'm asking to understand exactly what happened, why it happened now and how it might impact other admins and functionaries. Liz Read! Talk! 16:21, 4 November 2015 (UTC)[reply]
    @Liz: What makes you say that Salvidrim! gained control of OhanaUnited's account? What appears to have occurred is that a third party gained control of both accounts and posted here to indicate that they accounts had been compromised. WJBscribe (talk) 16:25, 4 November 2015 (UTC)[reply]
    Both accounts(Savidrim! and OhanaUnited) were compromised by an unidentified 3rd party who stated they did so to show that the accounts passwords were compromised. Dave Dial (talk) 16:28, 4 November 2015 (UTC)[reply]
    (edit conflict)x2 - Whoa Liz, I think you misunderstood something -- a third party gained access to both mine and Ohana's account due to compromised passwords. I've posted a short explanation of my understanding of what happened on my talk page (which is basically a copy of what I already answered the Steward team).  · Salvidrim! ·  16:29, 4 November 2015 (UTC)[reply]
    (ec)Okay, that wasn't clear to me but it makes sense. But what third party would hack into other user accounts and then come to BN to warn about this fact? Curious. Liz Read! Talk! 16:30, 4 November 2015 (UTC)[reply]
    Liz, the answer is "no-one". --Dweller (talk) 16:42, 4 November 2015 (UTC)[reply]
    The third party didn't hack into the accounts, but found compromised account logins and passwords from other sites published elsewhere. They then presumably checked to see if admin accounts with the same login names here used the same passwords as at the compromised sites, and alerted the bureaucrats when they did. (At least, that's what I understand from what they said up above.) 823510731 (talk) 16:47, 4 November 2015 (UTC)[reply]
    Yes, but that is what is puzzling. Not that the third party found vulnerable accounts, it's that they chose to come to the Bureaucrats' Noticeboard to warn about the vulnerability rather than cause mischief. Not exactly standard practice for your run-of-the-mill vandal.
    And as much as it is important to have strong passwords, why do people have the same username on all platforms. That just makes things very easy. Liz Read! Talk! 17:01, 4 November 2015 (UTC)[reply]
    It is something of a tradition I guess White Hat hackers regard it as a public service to keep admins on our toes this way. As for keeping the same name on multiple sites, this does have the advantage that someone else can't grab "your" name elsewhere and misuse it. ϢereSpielChequers 17:13, 4 November 2015 (UTC)[reply]
    Why would you expect them be a vandal? If I found compromised Wikipedia accounts, I'd report them too rather than using them to cause mischief. 823510731 (talk) 17:21, 4 November 2015 (UTC)[reply]
    Would you log in to these accounts to report them?--Ymblanter (talk) 18:14, 4 November 2015 (UTC)[reply]
    It's definitely the most impactful way. Just telling the affected users privately, for example, would've been quite a lot easier to sweep under the rug. Making this a public display is excellent for raising awareness and to generate real discussion towards improving security systems.  · Salvidrim! ·  18:21, 4 November 2015 (UTC)[reply]
    Well, I'd have to have logged in to know they're compromised, so why not? As Salvidrim says, it's an impactful way of getting people to use better passwords. 823510731 (talk) 18:24, 4 November 2015 (UTC)[reply]
    Responsible disclosure is a tradition that predates L0pht --In actu (Guerillero) | My Talk 18:47, 4 November 2015 (UTC)[reply]

    Resysopping

    Should be good to go, 'crats. Sorry all for the inconvenience! :)  · Salvidrim! ·  19:07, 4 November 2015 (UTC)[reply]

     Done. Don't worry about it, no harm done. WJBscribe (talk) 19:12, 4 November 2015 (UTC)[reply]
    The discussion above is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.

    Recovery part 2

    The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.

    Hi, this is OhanaUnited (I'm temporary using my bot account that you can verify by checking the page history). I also cannot reset the password until the main account is unblocked. My email is fine as it uses a different password than wiki. I have communicated with User:Ktr101 and confirmed with him that I will be using the bot account to post this message (Ktr101 and I met in real life and thus can confirm that I have control of the account through non-wiki channel). I also used SHA-1 (at the bottom of my userpage) that I can verify the passphrase with an ArbCom member and steward. OhanaBot (talk) 02:56, 5 November 2015 (UTC)[reply]

    I can attest that Ohana is using this bot under his own control, and can provide screenshots of the conversation of this if needed. Kevin Rutherford (talk) 03:00, 5 November 2015 (UTC)[reply]
    @OhanaUnited, OhanaBot, and Ktr101: Ohana - things are appearing to be in order, I would like to verify this is you as much as possible though, so please drop me an email to verify your passphrase, and if you have another method too, it would help to ease any worries about you not being in control of the account. Kevin - If you could please forward these, you should have my email on file, if not, drop me one, and I will reply. -- Amanda (aka DQ) 07:27, 5 November 2015 (UTC)[reply]
    @DeltaQuad: I have emailed you the SHA-1 identity passphrase. To all... I read through whoever hacked my account and their supposingly "white hat" action but found some inconsistency in their story. My previous password wasn't just DOB, it is a combination of alphanumeric with 8 characters (six numbers + 2 letters). Also, they pointed out that they retrieved information from this website yet I don't use any of the websites listed (no Adobe, Sony PS3, Snapchat, etc.) and this website confirmed that my account details weren't leaked. Regardless of the strength of the password, if it's part of the leaked accounts from other websites, it would still be compromised. So yeah, I don't know where or how someone managed to snoop my password. OhanaBot (talk) 15:15, 5 November 2015 (UTC)[reply]
    @OhanaBot: They didn't say that they got it through that website, just that it was an example of where passwords have been acquired. Sam Walton (talk) 15:46, 5 November 2015 (UTC)[reply]
    Actually, the "intruder" (I hesitate to use the word hacker) said he got your password through a gaming forum that was hacked.

    It had nothing do with Canadian data breaches. Salv’s was from the XSplit leak in November 2013. https://www.xsplit.com/blog/regarding-rumors-of-potential-leak-of-user-data and Ohana’s, from a runescape forum that is not on the breached list.

    Countless usernames, emails and plain text passwords of Wikipedia accounts are listed in the data breaches, including accounts with CU/OS permissions. One that stood out was that of a former arb and WMF staff member whose same password was listed on multiple dumps. I also came across login details for multiple emails ending with @wikimedia.org, recognized some as having developer access. FWIW, they all had mostly strong passwords, although it hardly matters if they use the same password on WP. Now, I didn’t try logging into any of these to check if they work or not. The only reason I tried logging into these two accounts is because I recognized them as familiar admin accounts which had numbers as passwords and I was convinced it wouldn’t give me access. Once it did, I only had two options, either post to BN or forget about it. Had I reported it to Arbcom or privately, it would have been swept under the rug.

    For all we know, people have been accessing admin accounts with impunity for years without anyone knowing. Nothing short of a forced reset for passwords on all privileged accounts is going to solve this.

    I didn’t comb through the data further nor do I intend to - but that does not mean others won't.

    — cwmtwrp, Reddit comment
     · Salvidrim! ·  18:21, 5 November 2015 (UTC)[reply]

    I have gone ahead and forwarded DeltaQuad a screenshot of the conversation, for the record. Kevin Rutherford (talk)| —Preceding undated comment added 18:54, 5 November 2015 (UTC)[reply]

    I have provided the info to DetlaQuad and she said she's satisfied with it. Now waiting for stewards to unlock the account. OhanaBot (talk) 03:22, 6 November 2015 (UTC)[reply]
    @Ohanabot:, @OhanaUnited:. I have unlocked your account. QuiteUnusual (talk) 08:12, 6 November 2015 (UTC)[reply]
    And I've unblocked. We can return the bit when Arbcom gives the nod. WormTT(talk) 08:47, 6 November 2015 (UTC)[reply]
    Nod One, Nod Two. NE Ent 23:23, 6 November 2015 (UTC)[reply]
     Done ···日本穣 · 投稿 · Talk to Nihonjoe · Join WP Japan! 00:18, 7 November 2015 (UTC)[reply]
    I am now confirming that I have full control of the account. OhanaUnitedTalk page 05:35, 7 November 2015 (UTC)[reply]

    The discussion above is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.

    Procedural desysops

    If we decide to run a password cracker or send out notices, I think we should apply it to recently procedurally desysopped admin accounts as well, since they can become admins again with little effort. This is doubly important as the rightful owner is less likely to notice if their account has been compromised. — Earwig talk 22:12, 4 November 2015 (UTC)[reply]

    It is probably easier to run it every time someone going to get an admin bit, since there are also RFAs.--Ymblanter (talk) 00:47, 5 November 2015 (UTC)[reply]
    Hmm... I mean, I could compromise an inactive account, change the password to something strong that the rightful owner doesn't know, and then request the bit back. Running a cracker then wouldn't exactly help. I don't know; this is becoming quite beansy. Perhaps 'crats could employ a stricter set of verification criteria for allowing resysopping after inactivity, but I realize that's not always possible if the admin never revealed any personal info like an email address or committed identity. — Earwig talk 00:57, 5 November 2015 (UTC)[reply]

    Security review RfC

    Having discussed the matter with a member of the WMF Security team, I've put some options together on Wikipedia:Security review RfC. Please can interested parties go there and have a look? WormTT(talk) 10:49, 5 November 2015 (UTC)[reply]

    Admin how-to guide and new admin school

    I've been working to revamp the new admin school (which was actually renamed to just "new admin"), and since you guys are the ones who direct new admins to such pages I thought I'd ask for a little input. I noticed WP:ADMINGUIDE repeats much of the info at WP:NAS, and presents it in a less-organized way. So what I'd like to do is merge everything into "new admin", as otherwise having this information fragmented like this is confusing and makes it difficult to maintain. Some things like merging page histories we're not really going to be able to provide a playground for new admins to test it out, so we're in effect stepping away from a "school" and just providing a single comprehensive reference point. Any thoughts on this matter? It's a lot of work that I'm willing to undertake but I figure I should make sure everyone is OK with it before proceeding. We might also consider a new name entirely, perhaps "admin reference"? MusikAnimal talk 03:14, 8 November 2015 (UTC)[reply]

    I helped write some of the New Admin School eight years ago (in fact, its creation stemmed from when I was a new admin in need of how to use the tools), and so I've noticed that over time parts of it have become outdated and messy. If you're willing to put in time and effort to tidy and update it, I would be extremely grateful. :) Acalamari 13:52, 8 November 2015 (UTC)[reply]
    I put some effort in not too long ago to update some of the areas including new screenshots, but it could probably still do with some work. Sam Walton (talk) 14:52, 8 November 2015 (UTC)[reply]
    Yes it is badly outdated, I've come to find out. I think I've got the blocking and protection pages all up to speed, and I unified a user rights management section. Next I want to merge in WP:ADMINGUIDE, which is going to take a while. I also want to add a section for the basics on responding to reports at noticeboards, such as AIV, RFPP etc. I think the more comprehensive we make WP:NAS the less we'll have to "learn on the job". I know I personally made a handful of mistakes as a new admin just because I was trying to learn the ropes out on the field, as prior documentation did not exist. MusikAnimal talk 17:48, 8 November 2015 (UTC)[reply]
    Kudos to anyone willing to work on the new admin guide. It appears there is a procedure for dealing with deceased editors, which I was supposed to know about. Perhaps it can be included.--S Philbrick(Talk) 02:13, 9 November 2015 (UTC)[reply]
    Yeah I didn't know about that either. I can try to work out a miscellaneous section for little things like this MusikAnimal talk 03:10, 9 November 2015 (UTC)[reply]
    The WP:Deceased_Wikipedians/Guidelines is the actual guideline, starting with being sure the user actually died. We post a request at WP:RFPP and link to the guide as here. (I didn't add the non-breaking spaces, just the request at the bottom of the diff...grumble.) On the confirmed death of an administrator, there would be a post here (and probably to the crat mail list). I wasn't aware that User:Telsa died. DocTree (ʞlɐʇ·ʇuoɔ) WER 04:37, 9 November 2015 (UTC)[reply]

    Please reinstate my access to the admin tools

    In September I asked that the admin tools be removed from my account while I was travelling overseas in case anything went wrong from using shared internet connections. I've now returned home and would appreciate it if my access to the tools could be reinstated. Thanks, Nick-D (talk) 02:49, 12 November 2015 (UTC)[reply]

    Requesting desysop

    Given the recommendations that have been made to me, I voluntarily lay down my adminship, recognizing that I will need to make a new request for adminship in order to have a chance at becoming an administrator again. I understand that becoming an administrator again in the future will not be automatic upon reapplication. Neelix (talk) 19:14, 12 November 2015 (UTC)[reply]