User:Johnuniq/Security
Thoughts on security, initially for a reply at WT:ACN.
Hacking of Wikipedia accounts
[edit]Many admin and non-admin accounts have been compromised at Wikipedia (over 30 at enwiki and more at other Wikipedias). Almost certainly that has been done by attackers matching the list of admins with lists of user accounts hacked on other websites and finding cases where the hacked password was reused at Wikipedia.
Security recommendations
[edit]Use a unique password for your Wikipedia account. The password should be different from any other password you use now, or have used in the past, at any other website or organization.
Use a different unique password for any email address associated with your account. Having an attacker guess your Wikipedia password would be bad enough, but it would be much worse if they can also guess your email account password.
Any unique password of reasonable length is probably good enough for use at Wikipedia if attackers never get access to Wikipedia's internal database. To avoid having your password hacked even if the database is exposed, a long password should be used such as a unique sentence of 32 or more characters.
See:
- Wikipedia:Password strength requirements
- meta:Make sure you have a password
- Wikipedia:Village pump (policy)#Macon's Principle (permalink)
Checking whether a password has been hacked
[edit]Troy Hunt created Have I Been Pwned? (HIBP) at https://haveibeenpwned.com/
Anyone can enter their email address at HIBP to determine whether that address (and possibly associated passwords) has been exposed during the numerous cases of systems being hacked. People who are not comfortable entering their email address have other choices.
One option is to enter your password at Passwords to see whether it is unique. If you are not comfortable entering your email address, you probably will not want to enter your password. The website claims that (if you have JavaScript enabled in your browser) whatever you enter as your password will be hashed on your computer and only the hash will be sent over the internet to the website. However, to avoid phishing, the golden rule is to never enter your password except when you are certain you are logging in at the authentic website.
It is possible to check whether a password has been exposed during hacks that have been made public using a method explained at Slashdot and documented at HIBP. In summary:
- Find the SHA-1 hash of your password using software on your computer (see SHA-1 hash below).
- Split the hash into two parts: the first five characters and the rest.
- Paste
https://api.pwnedpasswords.com/range/XXXXX
in your browser after replacing "XXXXX" with the first five characters of your hash. - Use your browser's search function (Ctrl-F) to search for the rest of the hash.
For example, assume the password is password
.
- SHA-1 hash of "password": 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
- First five characters: 5baa6
- Remaining characters: 1e4c9b93f3f0682250b6cf8331b7ee68fd8
- URL to visit: https://api.pwnedpasswords.com/range/5baa6
- Search for
1e4c9b93f3f0682250b6cf8331b7ee68fd8
(case insensitive) on that page.
In December 2018 the example found:
- 1E4C9B93F3F0682250B6CF8331B7EE68FD8:3533661
This result indicates that "password" has been used on hacked accounts 3,533,661 times.
For another example, the password Jimbo42
has hash 9f0566f3de9aaaa346f862164c491d861c315c29
and searching https://api.pwnedpasswords.com/range/9f056 in December 2018 showed that accounts operated by various people with that password had been hacked 7 times.
SHA-1 hash
[edit]Various methods are available to generate a SHA-1 hash.
- To do: Some of the procedures below may not work with passwords using Unicode characters. HIBP uses the SHA-1 hash of a UTF-8 encoded password.
Sandbox
[edit]Warning: If you accidentally publish the following edit, your password will be saved in the history of the sandbox! If that happens, undo your edit with an innocuous edit summary ("fix") and follow the instructions at Wikipedia:Requests for oversight.
Module:IPblock has a function that can calculate a SHA-1 hash. Edit your sandbox and replace its contents with
{{subst:#invoke:IPblock|sha1|password}}
after changing password
to the password to be hashed, then preview the edit. The hash can be copied from the previewed sandbox page. When finished, close the browser window to discard the edit. Do not click Publish changes.
Python
[edit]If Python is installed on your computer, and assuming a password does not contain quote ("
) or apostrophe ('
), one of the commands below could be used to obtain its SHA-1 hash. On a Windows computer these would be entered at command prompt (run cmd.exe
).
If Python 2 is available, use the following after replacing password
with the password to be hashed.
python -c "import hashlib; print hashlib.sha1('password').hexdigest()"
If Python 3 is available, use the following after replacing password
with the password to be hashed.
python -c "import hashlib; print(hashlib.sha1('password').hexdigest())"
Linux
[edit]The sha1sum utility is often available on Linux systems and can be used from a terminal. For example, if the password being hashed is password
enter:
echo -n "password" | sha1sum
The result should show 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 -
which is the SHA-1 hash and -
to indicate that the input was from the command line, not a file.
Any quote characters in the password need an extra backslash. For example, if the password being hashed is abc"xyz
enter:
echo -n "abc\"xyz" | sha1sum
macOS
[edit]In Applications > Utilities open Terminal and enter:
echo -n "password" | openssl sha1
The result should show 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
which is the SHA-1 hash. This assumes the password being hashed is password
.
Windows
[edit]The File Checksum Integrity Verifier can be downloaded from Microsoft. No installation is required. Expand the download in a directory, run cmd.exe and change to that directory. Create a text file called, for example, pw.txt
that contains the password with no extra spaces or newlines. When looking at the file in Notepad, there must be only one line (pressing the cursor down key should not move the cursor). At command prompt in the directory containing pw.txt
enter:
fciv -sha1 pw.txt
The text file must be saved with ANSI or UTF-8 encoding and there must not be a BOM before the text. Any BOM would be included in the hash meaning the result would be wrong.
Web calculator
[edit]If you are prepared to enter your password into a website, use: toolforge:text2hash (requires JavaScript).