66:
73:
93:
413:
53:
629:
221:. The commitment is placed somewhere in the editor's User space. If the account is compromised or hijacked, the editor provides the secret string to a trusted administrator or a developer, who verifies that the secret string matches the commitment value. Because the hash function is "one-way", it is impossible to calculate backwards to find a string value matching a given hash value, and the odds of a random string having the same hash value (a
157:
83:
103:
63:
205:; this is a group of words and numbers or a phrase known only to the account holder. The secret string can be any length; a good string will contain at least 15 characters and include unique information that only the account holder would know, such as a phone number or private e-mail address (not the address associated with your wikipedia account). The secret string is then processed through a
113:
672:
If someone has a general idea of what it could be, it could narrow the possibilities tremendously. For example, the example given in the article that says to change "Hewey, Dewey and Louie, October 17, 1937." to "Hewey
October Dewey 17 Louie 1937. Egg salad is murder!" could still be brute-forced if
667:
This feature has great potential and I think this could be very useful. However, while following the advice " contain at least 15 characters and include unique information that only the account holder would know" would make it impossible to brute-force it by guessing random characters, it still has
510:
This page is tagged as out of date, and there's a recommendation from Feb 2014 to only use cryptographic algorighms which are considered strong. Does anyone know if there are instructions anywhere for how to do this? Or any plans to update this page? Or any change to the recommendation -- perhaps
225:) is negligible. Therefore, knowing the string that produces a given value is very strong evidence that the person giving the string is the person who originally published it. Once the string is verified, the developers can reset the password to allow the original account holder to regain control.
232:
keypair and place the public key on their user page, and then prove their identity by using the private key to sign any message the challenger wants signed. However, this requires more technical competence, and it is necessary to ensure the private key file is well-protected (it is no longer a
473:
106:
76:
343:
Your secret string should not be easily guessable based on what you have publicly revealed about yourself. For example, if you use your real name on
Knowledge, your address or telephone number might be guessable, so be sure to make part of your string an unguessable
694:
While these methods take a lot of effort, there are millions of people who use
Knowledge, and if just one black-hat hacking group managed to compromise an interface administrator's account they could have Knowledge steal everyone's passwords and install malware.
162:
This page contains information which may be out of date. In particular, some of the encryption and authentication algorithms mentioned are no longer considered secure. When creating a "committed identity", only use cryptographic algorithms which are considered
33:
607:
This article was published before I'd even started editing
Knowledge (before, indeed many did). I see this because it is on my mass-issue watchlist, which I'm not entirely sure isn't unique, so I'd advise you try to bring this up elsewhere (village pump?).
177:(with the help of several others) has proposed a method that editors can use to identify themselves as the original account holder to regain control of a hijacked account. At this writing, about 300 users have confirmed their identities using this method.
116:
320:'s account is compromised or hijacked, he can e-mail the string to the Wikimedia Foundation office. If the hash value of the string matches the hash value previously posted on his user page, he will have proven that he is the rightful account owner.
96:
689:
It would involve sending the string to the
Knowledge administrators. A good string would be something nobody else knows, and I would assume that many of those things are not chosen because the user isn't comfortable with sharing that with the
574:
192:
to a secret string on the user page so that, in the unlikely event that their account is compromised, they can convince someone else that they are the real person behind the username, even if the password has been changed by the hijacker.
601:
430:
777:
This is an attempt to improve the process, as I find mine is now broken. I realise this talk page isn't structured the way most are so hopefully I'm makinng edits the right way? Please just delete what's not needed. --
520:
686:: if an attacker reads the sent folder of someone's email, they can send the same code to Knowledge and it would be impossible to determine who is the attacker and who is the legitimate user
576:
515:
Because this was part of a dated edition of the "Wikimedia
Signpost," it would be inappropriate to edit the body of this page. However, it would be entirely appropriate to create a
442:
387:
651:
621:
488:
39:
528:
437:
379:
457:
395:
462:
399:
86:
188:
gives editors a way to later prove that they are the person who was in control of their account on the day the template was placed. This is done by putting a public
290:{{user committed identity|b43f3e39de3f501217144badfc64687a2f516d5d1205d89e51c003715f8609adfbd085afcac3839f7d1008d185e4ab0040edecf62671dbf66a825823e7d3ad42|SHA-512}}
170:
786:
568:
317:
280:
253:
242:
832:
452:
391:
424:
679:
Many users might not follow this advice and choose an insecure string, which would mean it could be brute-forced by guessing random characters
884:
493:
762:
751:
They then email this to the
Wikimedia foundation. If the random number has been used before or it is the wrong username, they ignore it.
500:
56:
276:
b43f3e39de3f501217144badfc64687a2f516d5d1205d89e51c003715f8609adfbd085afcac3839f7d1008d185e4ab0040edecf62671dbf66a825823e7d3ad42
21:
304:
b43f3e39de3f501217144badfc64687a2f516d5d1205d89e51c003715f8609adfbd085afcac3839f7d1008d185e4ab0040edecf62671dbf66a825823e7d3ad42
860:
477:
855:
850:
716:/" plus the secret string, such as "REFERENCE/User:DonaldDuck1/Hewey October Dewey 17 Louie 1937. Egg salad is murder!".
845:
815:
Advice could be given, such as: including in the public part of the text a hint as to where the secret bit was stored.
535:) would need to be adjusted and hatnotes would need to be added to the top of both the Signpost article and the new
299:
284:
185:
758:
secret key (originally sent by the user) is equal to the string that was just emailed, this is the correct secret.
657:
812:
Users who fail to store their secret are potentially worse off than those who don't bother using the scheme.
767:
This is very cumbersome for both the user and the
Wikimedia foundation. However it can easily be added as a
562:
840:
676:
In the case that someone has a number of ideas, they would easily be able to verify whether one is correct.
583:
547:
543:
524:
412:
17:
333:
206:
772:
645:
615:
797:
When the secret is used, something needs to be done to mark it as being used, and then to replace it.
730:
256:
has mentioned his family on
Knowledge, this might be too easily guessed. A useful variation would be
698:
748:", for example "12345678/User:DonaldDuck1/Hewey October Dewey 17 Louie 1937. Egg salad is murder!".
706:
245:
chooses a "secret string" that includes the names and birthdate of his nephews. His string is,
783:
546:"in place," why bother with a draft? The answer is that there are too many incoming links to
800:
755:
720:
519:
information page about committed identities that is up-to-date. It should probably be named
550:
and it would be a bad idea to have people clicking on those links see a draft-in-progress.
866:
8:
712:
The user comes up with a secret string and gets the SHA512 hash of the string "REFERENCE/
640:
610:
597:
229:
196:
173:
report of five administrator accounts being hijacked by having their passwords cracked,
180:
143:
135:
779:
558:
484:
307:
189:
582:
I had started a rough draft of a page that could be considered an actual policy for
351:
on your account. It is better to never have your account stolen in the first place.
511:
now that we're on a secure server, it's not as crucial? 08:58, 8 April 2014 (UTC)
358:
126:
791:
348:
174:
633:
587:
222:
662:
369:
878:
683:
532:
818:
Advice could be given, for the user to put an expiry time on the protection.
337:
673:
someone knows the user's family members and has a powerful enough computer.
551:
523:
or something like that. Once it is created and accepted by the community,
323:
233:
simple message, although it can of course be encrypted with a passphrase).
527:
can be deleted and the new page moved into its place. Shortcuts listed
34:
User committed identities provide protection against account hijacking
723:
with a secret key only
Knowledge knows, then send it back to the user
236:
807:
output would assist. The disadvantage is increased complexity.
804:
214:
210:
719:
They then email this to the Wikimedia foundation, and they
364:
267:
262:
Hewey October Dewey 17 Louie 1937. Egg salad is murder!
283:
would then put the hash value on his user page using
498:If your comment has not appeared here, you can try
876:
332:Although the template defaults to SHA-512, any
270:to calculate the SHA-512 hash value produces
124:
703:Here is a different process that I propose:
575:Draft for "Committed identity" proposal at
248:Hewey, Dewey and Louie, October 17, 1937.
542:You may be asking "but why not just edit
521:Knowledge:Committed identity/2014 draft
501:
14:
877:
586:. Any help with this task is welcome.
347:This is not a substitute for using a
228:Alternatively, a user could create a
726:The user adds this to their usercard
151:
885:Knowledge Signpost archives 2007-05
310:to this user's real-life identity.
217:to generate a unique hash value or
27:
577:Draft:Knowledge:Committed identity
411:
28:
896:
803:the secret with the result of an
483:These comments are automatically
365:Calculate some common hash values
627:
340:for information on alternatives.
295:
285:Template:User committed identity
186:Template:User committed identity
155:
111:
101:
91:
81:
71:
61:
51:
329:Do not lose your secret string.
494:add the page to your watchlist
13:
1:
736:The user takes the hash of "
668:a number of security holes:
584:Knowledge:Committed identity
548:Knowledge:Committed identity
544:Knowledge:Committed identity
525:Knowledge:Committed identity
469:
370:Calculate a SHA-3 hash value
18:Knowledge:Knowledge Signpost
7:
787:12:24, 13 August 2023 (UTC)
334:cryptographic hash function
213:(SHA-512, SHA-384, ...) or
207:cryptographic hash function
10:
901:
569:03:00, 10 April 2014 (UTC)
133:
443:Academic journal coverage
388:Academic journal coverage
652:05:52, 26 May 2015 (UTC)
622:05:52, 26 May 2015 (UTC)
602:19:53, 25 May 2015 (UTC)
773:Making this more robust
763:Automating this process
658:Making this more secure
293:which looks like this:
833:looking for new talent
746:<secret string: -->
738:<random number: -->
491:. To follow comments,
416:
731:Recovering an account
415:
487:from this article's
438:Compromised accounts
380:Compromised accounts
201:An editor chooses a
458:Features and admins
396:Features and admins
707:Setting the secret
537:Committed identity
508:==April 8, 2014==
478:Discuss this story
463:Arbitration report
448:Committed identity
417:
384:Committed identity
336:can be used. See
316:In the event that
300:Committed identity
31:Committed identity
742:<username: -->
714:<username: -->
699:Proposed proccess
567:
566:
502:purging the cache
403:
378:Also this week:
314:
313:
167:
166:
892:
869:
769:
768:
650:
648:
637:
631:
630:
620:
618:
594:
556:
555:
505:
503:
497:
476:
435:
427:
420:
376:
296:
281:User:DonaldDuck1
243:User:DonaldDuck1
159:
158:
152:
146:
129:
115:
114:
105:
104:
95:
94:
85:
84:
75:
74:
65:
64:
55:
54:
900:
899:
895:
894:
893:
891:
890:
889:
875:
874:
873:
872:
871:
870:
865:
863:
858:
853:
848:
843:
836:
825:
824:
794:
775:
765:
733:
721:pepper the hash
709:
701:
690:administrators.
665:
660:
646:
639:
632:
628:
616:
609:
588:
580:
507:
499:
492:
481:
480:
474:+ Add a comment
472:
468:
467:
466:
428:
423:
421:
418:
406:
405:
404:
361:
349:strong password
326:
277:
263:
249:
239:
199:
183:
169:In the wake of
156:
150:
149:
142:
138:
131:
130:
123:
122:
121:
112:
102:
92:
82:
72:
62:
52:
46:
43:
32:
26:
25:
24:
12:
11:
5:
898:
888:
887:
864:
859:
854:
849:
844:
839:
838:
837:
827:
826:
823:
822:
821:
820:
819:
816:
810:
809:
808:
793:
790:
774:
771:
764:
761:
760:
759:
752:
749:
732:
729:
728:
727:
724:
717:
708:
705:
700:
697:
692:
691:
687:
684:repeat attacks
682:Vulnerable to
680:
677:
674:
664:
661:
659:
656:
655:
654:
624:
579:
573:
572:
571:
540:
482:
479:
471:
470:
465:
460:
455:
450:
445:
440:
434:
422:
410:
409:
408:
407:
375:
374:
373:
372:
367:
360:
357:
355:
353:
352:
345:
341:
330:
325:
322:
312:
311:
279:
275:
273:
265:
261:
259:
251:
247:
238:
235:
223:Hash collision
198:
195:
182:
179:
165:
164:
160:
148:
147:
139:
134:
132:
120:
119:
109:
99:
89:
79:
69:
59:
48:
47:
44:
38:
37:
36:
35:
30:
29:
15:
9:
6:
4:
3:
2:
897:
886:
883:
882:
880:
868:
862:
857:
852:
847:
842:
834:
830:
817:
814:
813:
811:
806:
802:
799:
798:
796:
795:
789:
788:
785:
781:
770:
757:
753:
750:
747:
743:
739:
735:
734:
725:
722:
718:
715:
711:
710:
704:
696:
688:
685:
681:
678:
675:
671:
670:
669:
653:
649:
644:
643:
635:
625:
623:
619:
614:
613:
606:
605:
604:
603:
599:
595:
593:
592:
585:
578:
570:
564:
560:
553:
549:
545:
541:
538:
534:
530:
526:
522:
518:
514:
513:
512:
504:
495:
490:
486:
475:
464:
461:
459:
456:
454:
451:
449:
446:
444:
441:
439:
436:
432:
426:
419:In this issue
414:
402:
401:
397:
393:
389:
385:
381:
371:
368:
366:
363:
362:
356:
350:
346:
342:
339:
338:this web site
335:
331:
328:
327:
321:
319:
309:
306:is a SHA-512
305:
301:
298:
297:
294:
291:
288:
286:
282:
274:
271:
269:
268:this web site
260:
257:
255:
246:
244:
241:For example,
234:
231:
226:
224:
220:
216:
212:
208:
204:
203:secret string
194:
191:
187:
178:
176:
172:
161:
154:
153:
145:
141:
140:
137:
128:
118:
110:
108:
100:
98:
90:
88:
80:
78:
70:
68:
60:
58:
50:
49:
41:
23:
19:
829:The Signpost
828:
776:
766:
745:
741:
737:
713:
702:
693:
666:
641:
611:
590:
589:
581:
536:
516:
509:
447:
431:all comments
383:
377:
354:
315:
303:
292:
289:
278:
272:
264:
258:
252:However, if
250:
240:
227:
218:
202:
200:
197:How it works
184:
168:
57:PDF download
867:Suggestions
485:transcluded
425:14 May 2007
400:Arbitration
318:DonaldDuck1
287:like this:
254:DonaldDuck1
181:What is it?
171:last week's
127:Thatcher131
107:X (Twitter)
780:Silicosaur
626:Addendum:
308:commitment
219:commitment
190:commitment
175:Mangojuice
45:Share this
40:Contribute
22:2007-05-14
861:Subscribe
801:Peppering
634:Steel1943
591:Steel1943
489:talk page
453:WikiWorld
392:WikiWorld
359:Resources
879:Category
856:Newsroom
851:Archives
756:peppered
563:contribs
209:such as
136:Shortcut
97:Facebook
87:LinkedIn
77:Mastodon
20: |
754:If the
552:davidwr
344:secret.
237:Example
163:strong.
792:Issues
663:Issues
533:WP:CID
531:(e.g.
266:Using
144:WP:CID
117:Reddit
67:E-mail
846:About
805:S/KEY
539:page.
324:Notes
215:SHA-3
211:SHA-2
16:<
841:Home
598:talk
559:talk
529:here
831:is
647:Mar
642:Res
617:Mar
612:Res
561:)/(
517:new
230:PGP
125:By
42:—
881::
784:us
638:.
600:)
398:—
394:—
390:—
386:—
382:—
302::
835:.
782:'
744:/
740:/
636::
596:(
565:)
557:(
554:/
506:.
496:.
433:)
429:(
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.