Page MenuHomePhabricator

About [[Phabricator:phabricator-people-148aaf2e06c62283/en]]: extremely unsecure suggestion!
Closed, DeclinedPublicBUG REPORT

Description

Steps to replicate the issue (include links if applicable):

The embedded hint is the worst ever suggestion by Phabricator I have ever seen or any Wikimedia project:

After you set a new password, consider writing it down on a sticky note and attaching it to your monitor so you don't forget again! Choosing a very short, easy-to-remember password like "cat" or "1234" might also help.

If it is followed, it completely destroys the usefulness of paswords, allowing anyone to easily take controls of accounts; bots would easily target these accounts as well. Various projects have strong requirements about the choice of good password (notably for administrator accounts, or accounts created for privacy and whose owners could become source of legal threats when editing sensible articles like those about war in Ukraine, or LGBTQI+ topics, or accounts used for development with the review of edits, or approval and integration of changes in code or policies). As well noting passwords on PostIts is not secure at all.

This is also a very bad suggestion for any other web site: users are instructed everywhere to NEVER use those "easy" tricks that break all best recommendations made by many authorities and project managers (and even by Wikimedia itself).

Given the now very HUGE risk of third party attacks now on the web (where personal account details are stolen by tens of millions, even on very popular sites that were supposed to be secured, including massive attacks against popular wikis), we need stronger paswords stored in safe places, and that are also unique for each site (so that users of the wiki will also NOT reuse their passwords for their other critical accounts such as their bank, merchant sites, gaming sites, or other professional websites, or government and social security websites).

In all cases, that statement quoted above should be discarded completely. It is much safer to forget a password that you can change again by asking to the website to submit a request to generate a temporary password which which you can reconnect and change immediately on first logon.

Instead, we should instruct users to consider using password managers (that can help generating strong passwords, and that can save them in a secured store). Today, password managers are integrated in most major web browsers, and allow synchronizing them across multiple devices, or can be integrated as plugins for most browsers or as acessibility companion apps for mobile devices.

Good password managers can also give hints when some known sites have been hacked or when user passwords that were harvested on users's devices or stolen on legitimate sites but found on the dark web were they are republished or resold.

I hope this is not a joke, but such joke on this kind of security-related topic should be removed.

Note that "Phabricator (People)" is old and comes from the version that existed in 2014/2015, when the Phabricator project was still not taken by Wikimedia; existing searchs about it gives results only in the legacy "phabricator.com" domain where it was hosted, and Phabricator was experimented to replace Bugzilla. Old Bugzilla bugs still reference that old instance of Phabricator, which is still active (even if new bugs can no longer be added there, there are some replies occuring, and it has not frozen completely and archived (with links pointing to the new location which was setup on a subdomain of Wikimedia.org in 2016; but the former organization of its translation is still based on modules that existed in 2016; today, many projects have been restructured, but identifying i18n messages and fixing them is a huge and complex task, so there are lot of legacy messages that were either not translated at all or not reviewed, with many errors, but it's not easy to see how they are used, as they are poorly documented, most often only line numbers in some files that may have changed a lot since then).


See also https://translatewiki.net/wiki/Thread:Support/About_Phabricator:phabricator-people-148aaf2e06c62283/fr:_extremely_unsecure_suggestion

Event Timeline

Verdy_p updated the task description. (Show Details)

Yes, that's upstream humor. We do not care in Wikimedia Phabricator because we do not allow separate passwords for Wikimedia Phabricator - all authentication for Wikimedia Phabricator is done via external accounts so you cannot create a password in Wikimedia Phabricator itself.

Feel free to report to https://we.phorge.it/ . Regarding Wikimedia we don't care about this string as it's never displayed here.

I did not know that Phorge.it ever existed, but it is developed as a recent fork of Wikimedia Phabricator, but this message was present since long even before Wikiemdia fully adaopted it (when it was abandoned as open source by a former company). So now who manages these parts that Wikimedia itself chose to not use?
And it's strange because Wikimedia Phabricator requires a separate registration and not Wikimedia SUL for its wikis)

phorge.it is a fork of Phabricator (the general software, "upstream"). It is not a fork of Wikimedia's instance (installation) of the Phabricator software.
Wikimedia uses a lot of upstream projects but does not develop them: https://www.mediawiki.org/wiki/Upstream_projects

But there's no more any "upstream" Phabricator because it is defunct since long; the Wikimedia branch has then to be defined by Wikimedia; And I don't knwo how Phorge.it are working, as Wikimedia has never been involved in that separate branch which also depended on the former "uptream" project. If there are still other existing forks of Phabricator, they should join their efforts, but Wikiemdia has many more developers for it, and the translations for Phabrictor made in translatewiki.net only comes from the Wikimedia branch. It's very likely that Phrge.it does not use any of these TWN messages, and that they just use a limtied set of translations for a more limited set of target languages.
Is there any effort to join the efforts across these branches (e.g. in a wikimedia meeting or a small worknig group trying to reunite their efforts?

There is an upstream: phorge.it. That is the "effort to join the efforts".
I don't know if phorge.it uses translations from twn, that's a good question for phorge.it folks.

So phabricator.com is dead?

Neither completely dead nor much alive I'd say. https://secure.phabricator.com says "Effective June 1, 2021: Phabricator is no longer actively maintained."
See also https://www.mediawiki.org/wiki/Topic:Woh7rhuiccr42fma for a better venue to have the "Wikimedia and Phabricator" discussion.

With a downstream hat on I still don't mind though as we do not expose this message in this very installation. :)