Wikipedia:Wikipedia Signpost/2010-08-23/Technology report

Technology report

Bugs, Repairs, and Internal Operational News

Plans to improve password security

Head developer Tim Starling has proposed an upgrade of the way the MediaWiki software (and hence Wikimedia sites) encrypts ("hashes") passwords (wikitech-l mailing list). He outlined concerns that if someone could acquire an encrypted password from the database, they could decrypt it and log in as that user within 20 minutes, with no special hardware. Highlighting this issue, he requested that any new system be:

Tim Starling suggested that the "Whirlpool" hash be incorporated as a way of achieving this. The result was a general consensus that the proposed scheme was better than the current process, with a wide-ranging discussion of what might be even better. User:Simetrical played down the threat, arguing that "Hackers go after money, and there's no money in hacking Wikipedia. We have nothing secret or valuable that's not already readily available".

Concerning client-side improvements in password security, a JavaScript-based password complexity checker has recently been written (rev:70520), prompted by the remarks of a security researcher quoted in the Technology Report earlier this month (Study of web passwords includes Wikipedia).

See also earlier Signpost coverage about password security on Wikipedia: Four administrator accounts desysopped after hijacking, vandalism, Administrator status restored to five accounts after emergency desysopping (about a 2007 incident which led to some changes in MediaWiki and the start of the page Wikipedia:Security), Blank passwords eliminated for security reasons (2006), Password security upgraded after Slashdot furor (2005, about an incident after which salted passwords were introduced).


Google Summer of Code: Brian Wolff

We begin a series of articles about this year's Google Summer of Code (GSoC) with student Brian Wolff (User:Bawolff), who describes his project to improve MediaWiki's image metadata support:


Once finished and rounded off, the new code could easily be merged into the MediaWiki base, improving functionality for all new MediaWiki installations and upgrades, including Wikimedia sites. Metadata can also help volunteers to spot low-level image copyright infringement.

In brief

Not all fixes may have gone live to WMF sites at the time of writing; some may not be scheduled to go live for many weeks.

  • The final Vector and advanced editing tools rollout will start on 1 September (Wikimedia techblog), to all remaining wikis (mostly the smaller ones).
  • A number of problems with image thumbnails are outstanding; for example, with large thumbnails (bug #24824) and the sharpness of thumbnails (bug #24857).
  • Further to previous coverage, User:Simetrical has begun his overhaul of the category display system, this week improving the <CategoryTree> extension, which had previously been disabled on WMF wikis over performance concerns (bug #23682).
  • In last week's Technology report, it was noted that the complexity and informality of wikitext presented a problem in developing WYSIWYG editors. Recently, Andreas Jonsson reported preliminary success in moving to a formalised, predictable model (wikitext-l mailing list).
  • Researcher Dirk Riehle argues that "companies are shying away from bringing commercial innovation and investment to MediaWiki because of the uncertainty around its intellectual property", especially the question whether the GPL would prevent publishing proprietary extensions, and the usage of the term "MediaWiki". He suggested setting up a separate "MediaWiki Foundation".