Wikipedia:Administrators' noticeboard

Template:Active editnotice

This page has an administrative backlog that requires the attention of willing administrators. Please replace this notice with {{no admin backlog}} when the backlog is cleared.

You may want to increment {{Archive basics}} to |counter= 38 as Wikipedia:Closure requests/Archive 37 is larger than the recommended 150Kb.

Archives

Index no archives yet (create)

This page has archives. Sections older than 6 days may be automatically archived by Lowercase sigmabot III when more than 3 sections are present.

Use the closure requests noticeboard to ask an uninvolved editor to assess, summarize, and formally close a Wikipedia discussion. Do so when consensus appears unclear, it is a contentious issue, or where there are wiki-wide implications (e.g. any change to our policies or guidelines).

Do not list discussions where consensus is clear. If you feel the need to close them, do it yourself.

Move on – do not wait for someone to state the obvious. In some cases, it is appropriate to close a discussion with a clear outcome early to save our time.

Do not post here to rush the closure. Also, only do so when the discussion has stabilised.

On the other hand, if the discussion has much activity and the outcome isn't very obvious, you should let it play out by itself. We want issues to be discussed well. Do not continue the discussion here.

There is no fixed length for a formal request for comment (RfC). Typically 7 days is a minimum, and after 30 days the discussion is ripe for closure. The best way to tell is when there is little or no activity in the discussion, or further activity is unlikely to change its result.

When the discussion is ready to be closed and the outcome is not obvious, you can submit a brief and neutrally worded request for closure.

Include a link to the discussion itself and the {{Initiated}} template at the beginning of the request. A helper script can make listing easier. Move discussions go in the 'other types' section.

Any uninvolved editor may close most discussions, so long as they are prepared to discuss and justify their closing rationale.

Closing discussions carries responsibility, doubly so if the area is contentious. You should be familiar with all policies and guidelines that could apply to the given discussion (consult your draft closure at the discussions for discussion page if unsure). Be prepared to fully answer questions about the closure or the underlying policies, and to provide advice about where to discuss any remaining concerns that editors may have.

Non-admins can close most discussions. Admins may not overturn your non-admin closures just because you are not an admin, and this is not normally in itself a problem at reviews. Still, there are caveats. You may not close discussions as an unregistered user, or where implementing the closure would need tools or edit permissions you do not have access to. Articles for deletion and move discussion processes have more rules for non-admins to follow.

If you want to formally challenge and appeal the closure, do not start the discussion here. Instead follow advice at WP:CLOSECHALLENGE.

• Wikipedia:Requested moves#Elapsed listings
• Wikipedia:Articles for deletion/Old
• Wikipedia:Redirects for discussion
• Wikipedia:Categories for discussion/Awaiting closure
• Wikipedia:Templates for discussion#Old discussions
• Wikipedia:Miscellany for deletion#Old business
• Wikipedia:Proposed mergers/Log
• Wikipedia:Proposed article splits

(Initiated 23 days ago on 13 December 2024) challenge of close at AN was archived nableezy - 05:22, 24 December 2024 (UTC)[reply]

(Initiated 21 days ago on 15 December 2024) voorts (talk/contributions) 00:55, 28 December 2024 (UTC)[reply]

(Initiated 90 days ago on 7 October 2024) Tough one, died down, will expire tomorrow. Aaron Liu (talk) 23:58, 5 November 2024 (UTC)[reply]

(Initiated 69 days ago on 28 October 2024) Participation/discussion has mostly stopped & is unlikely to pick back up again. - Butterscotch Beluga (talk) 21:15, 7 December 2024 (UTC)[reply]

 Note: This is a contentious topic and subject to general sanctions. - Butterscotch Beluga (talk) 21:15, 7 December 2024 (UTC)[reply]

Archived. P.I. Ellsworth , ed. ^{put'er there} 22:26, 8 December 2024 (UTC)[reply]

(Initiated 60 days ago on 6 November 2024) RfC expired on 6 December 2024 [1]. No new comments in over a week. Bogazicili (talk) 15:26, 29 December 2024 (UTC)[reply]

(Initiated 51 days ago on 15 November 2024) Clear consensus that the proposed edit (and its amended version) violate WP:SYNTH. However, the owning editor is engaging in sealioning behavior, repeatedly arguing against the consensus and dismissing others' rationale as not fitting his personal definition of synthesis; and is persistently assuming bad-faith, including opening an ANI accusing another editor of WP:STONEWALLING. When finally challenged to give a direct quote from the source that supports the proposed edit, it was dismissed with "I provided the source, read it yourself" and then further accused that editor with bad-faith. The discussion is being driven into a ground by an editor who does not (nor wish to) understand consensus and can't be satisfied with any opposing argument supported by Wikipedia policy or guidelines. --ThomasO1989 (talk) 22:30, 30 December 2024 (UTC)[reply]

(Initiated 44 days ago on 22 November 2024) Legobot has removed the RFC notice. Can we please get an interdependent close. TarnishedPath^talk 23:08, 24 December 2024 (UTC)[reply]

 Note: Ongoing discussion, please wait a week or two. Bogazicili (talk) 14:08, 29 December 2024 (UTC)[reply]

(Initiated 39 days ago on 28 November 2024) Legobot has removed the RFC tag and the last comment was a couple of days ago. Can we please get a independent close. TarnishedPath^talk 10:42, 28 December 2024 (UTC)[reply]

(Initiated 38 days ago on 29 November 2024) Legobot has removed the RFC notice. Last comment was a couple of days ago. Can we get an independent close please. TarnishedPath^talk 11:24, 29 December 2024 (UTC)[reply]

(Initiated 34 days ago on 2 December 2024) The last comment on this was on 24 December 2024 and Legobot has removed the RFC tag. An independent closer (preferably an admin) would be welcome. Many thanks - SchroCat (talk) 15:57, 5 January 2025 (UTC)[reply]

XFD backlog

V	Oct	Nov	Dec	Jan	Total
CfD	0	0	3	0	3
TfD	0	0	9	0	9
MfD	0	0	0	0	0
FfD	0	1	6	0	7
RfD	0	0	39	0	39
AfD	0	0	0	0	0

(Initiated 39 days ago on 27 November 2024) * Pppery * _{it has begun...} 20:02, 26 December 2024 (UTC)[reply]

(Initiated 17 days ago on 20 December 2024) HouseBlaster (talk • he/they) 23:10, 30 December 2024 (UTC)[reply]

(Initiated 17 days ago on 20 December 2024) HouseBlaster (talk • he/they) 23:10, 30 December 2024 (UTC)[reply]

(Initiated 103 days ago on 25 September 2024) Open for a while, requesting uninvolved closure. Andre🚐 22:15, 20 December 2024 (UTC)[reply]

(Initiated 81 days ago on 16 October 2024) Experienced closer requested. ―Mandruss ☎ 13:57, 27 November 2024 (UTC)[reply]

(Initiated 79 days ago on 18 October 2024) This needs formal closure by someone uninvolved. N2e (talk) 03:06, 1 December 2024 (UTC)[reply]

I think it would be better to leave that discussion be. There is no consensus one way or the other. I could close it as "no consensus," but I think it would be better to just leave it so that if there's ever anyone else who has a thought on the matter, they can comment in that discussion instead of needing to open a new one. —Compassionate727 ^(T·C) 14:15, 25 December 2024 (UTC)[reply]

(Initiated 69 days ago on 29 October 2024) There are voices on both sides (ie it is not uncontroversial) so a non-involved editor is needed to evaluate consensus and close this. Thanks. PamD 09:55, 17 December 2024 (UTC)[reply]

(Initiated 60 days ago on 7 November 2024) Looking for uninvolved close in CTOP please, only a few !votes in past month. I realise this doesn't require closing, but it is preferred in such case due to controversial nature of topic. CNC (talk) 10:44, 2 January 2025 (UTC)[reply]

(Initiated 39 days ago on 27 November 2024) Discussion seems to have stopped. As the proposal is not uncontroversial, and I, as the initiator, am involved, I am requesting an uninvolved editor to close the discussion. Arnav Bhate (talk • contribs) 11:02, 26 December 2024 (UTC)[reply]

Per WP:SO, I am copying here unblock request made by blocked user User:Leugen9001 on their talk page, for community approval. Checkuser shows no recent socking, and the blocking admin agrees (See: User_talk:Leugen9001#Standard_Offer_Unblock_Request). Vanjagenije (talk) 18:50, 26 April 2018 (UTC)[reply]

I would like to request an unblock per the Standard Offer. It has been slightly more than six months since October 1st, 2017, and I would like to return to the encyclopedia. I promise that I shall no longer engage in the disruptive and rule-breaking behaviour that I have demonstrated in the past, and I do not dispute any of the reasons for which I have been banned. I understand that the Wikipedia community has a legitimate reason not to trust my promise and am willing to accept "2nd Chance" limits like topic-bans and requirements to propose changes to articles in order to prove that I can now be a productive member of the community. Leugen9001 (talk) 4:47 am, 12 April 2018, Thursday (15 days ago) (UTC+2)

• Oppose as is my standard unless a user demonstrates they will actually be an asset to the encyclopedia and discusses what they intend to do what they return. This is just a simple rote regurgitation of the SO procedure which does not demonstrate anything other than that they are able to read an essay and paraphrase it in an unblock request. Such requests should be declined. TonyBallioni (talk) 18:58, 26 April 2018 (UTC)[reply]
  • @TonyBallioni: The user has provided an answer on their talk page, see User_talk:Leugen9001#Standard_Offer_Unblock_Request. Vanjagenije (talk) 13:40, 5 May 2018 (UTC)[reply]
    • I'm still opposed because I've had bad experiences unblocking people who just give rote explanations in their initial request, and I also don't think that with 61 edits we have anything to go off of (and no, I don't count power's reasoning below as a reason to unblock. Following the rules is required, it is not something that should be looked at as exceptional.) TonyBallioni (talk) 15:12, 5 May 2018 (UTC)[reply]
• (edit conflict) Comment. Just to be clear, I don't support (or oppose) the unblock. I have not given the issue any thought. I agree only that the community should decide.--Bbb23 (talk) 19:01, 26 April 2018 (UTC)[reply]
• @Leugen9001: As you have talked about proposing changes, I would like to know if there are there any particular articles in your mind that you would like to edit. If yes then what you would really like to change about those articles? D4iNa4 (talk) 19:07, 26 April 2018 (UTC)[reply]

• Leugen9001 was more active as a contributor in WikiNews.[2] Their block log is clean there. D4iNa4 (talk) 19:21, 26 April 2018 (UTC)[reply]

• WikiNews is also dead, so I'm not really sure its the best project to point out a track record on. TonyBallioni (talk) 19:25, 26 April 2018 (UTC)[reply]

• Support there appears to be minimal history, largely from 2016. If they're willing to go through this rigamarole rather than doing an (invalid) clean start, we should let them. power~enwiki (π, ν) 19:34, 29 April 2018 (UTC)[reply]
• Support - user made a reasonably complete unblock request last September, acknowledging their past disruptive behaviour and swearing off it, though its sincerity is questionable seeing how they were still socking at the time. Although, perhaps that's a technicality if their sock didn't actually edit here, and WP:SO does encourage blocked users to edit other wikis. The timing wasn't good, anyway. Still, the user seems to be trying to do the right thing (h/t power~enwiki) and although I'm not terribly hopeful given their request to block their IP in case they "try to do something impulsive", I don't see a good reason not to give this user one last chance. I'd prefer no specific unblock conditions that might encourage "testing the limits", instead the user should realize that if they manage to get themselves blocked again, they can expect that to be more or less permanent. Ivanvector (^Talk/_Edits) 18:51, 4 May 2018 (UTC)[reply]

Miccoliband (talk · contribs) was indefinitely hard-usernameblocked on 3 February 2018. On 7 February 2018 and 30 April 2018, the user was found to have engaged in sockpuppetry in accordance with publicly-documented CheckUser evidence. Per WP:3X, this user is automatically considered community-banned. I haven't found any other examples of these AN reports, which are suggested by the policy, so I'm guessing this will be good enough. Best, Kevin (aka L235 · t · c) 22:22, 30 April 2018 (UTC)[reply]

Oops, I suppose under the policy, we need an administrator to declare that the user is well and truly automatically community banned – misread that. Kevin (aka L235 · t · c) 22:34, 30 April 2018 (UTC)[reply]

Editors who are found to have engaged in sockpuppetry on at least two occasions after an initial indefinite block, for any reason, are effectively site banned by the Wikipedia community. Publicly documented CheckUser evidence should typically be involved before a user is considered banned in this way. Users who have been banned in this way are subject to the same unban conditions as users banned by community discussion.[2]

Administrators should normally place a notice at Wikipedia:Administrators' Noticeboard alerting the community of such a ban, place Template:Banned user on the master account's user page, and add the user to any relevant Arbitration Committee sanctions enforcement list.

Are you referring to Administrators should normally..., or is some other admin declaration needed? Nyttend (talk) 22:50, 30 April 2018 (UTC)[reply]

@Nyttend: Yeah, I was referring to the "Administrators should normally ..." sentence. Thanks, Kevin (aka L235 · t · c) 23:07, 30 April 2018 (UTC)[reply]

I think the point is having a trusted user do it, rather than just any autoconfirmed user; we don't want someone going around and inappropriately tagging a bunch of long-blocked users, either through malice or through misunderstanding. We also don't want someone going around tagging the user when the alleged sock is not blocked (that would either be getting ahead of a reviewing admin, or doing something in spite of a contrary review), but here the socks have been blocked. Probably the writer of this piece imagined that an admin would perform the block and then come here to announce it. Since that didn't happen, and since SPI clerks like you are quite trustworthy, I can't see a good reason to demand an admin do it. If an admin be needed, I'll have to revert or duplicate your notice here, and I'll have to revert or duplicate your edit that added the {{banned user}} to the userpage, since the policy says that the admin has to do those things. WP:BURO, let's be satisfied with what you did :-) Nyttend (talk) 23:20, 30 April 2018 (UTC)[reply]

Thanks, works for me. Kevin (aka L235 · t · c) 01:58, 1 May 2018 (UTC)[reply]

The idea behind it was that it should be an admin so that accountability would apply. I don't think we've had much use of that part of the new policy since it was passed, because, well, most of the people who sock aren't longterm users and are mainly just trolls and spammers, who the policy wasn't really aimed as much at i.r.t. the unblock aspect. If you look at the discussion, there was some comment as to whether that part was needed, and given that I'm sure this is not the first THREESTRIKES ban, it might be worth tweaking that bit.

I think the idea that we want community oversight when this is applied to a longterm user is important, but it doesn't make the ban any less operative in cases like this. The main part of the policy is that an indefinite block plus two incidences of socking is equivalent to a ban and requires the same conditions to unblock (namely, discussion). The bureaucracy part we can tweak as conditions requires. TonyBallioni (talk) 03:10, 1 May 2018 (UTC)[reply]

I pushed to have the bureaucracy of that part worded as weakly as reasonable: 'administrators should normally', not 'the blocking admin has to tag the master and announce it here'. For me, basically, an editor who is blocked under the conditions is plainly community banned, even if it is not announced. Announcing and tagging is sometimes good (awareness by broader community, overview), but sometimes also to be avoided (don't feed the troll). Also, the wording has to be so that we don't get a sockmaster with 20 checkuser confirmed and blocked socks coming with 'I am not community banned, because a) no-one announced it to WP:AN, and my master account has never been tagged.

Q: do we have a special parameter on {{banned user}} or {{sockmaster}} for the three strikes to identify that the banned user is banned 'automatically' and not be individual discussion? I do think that that is informative. --Dirk Beetstra ^{T C} 06:32, 1 May 2018 (UTC)[reply]

Dirk Beetstra, what do you think of what I said, Probably the writer of this piece imagined that an admin would perform the block and then come here to announce it? Were you hoping for the blocking admin to do the tagging and announcing? Nyttend (talk) 11:53, 1 May 2018 (UTC)[reply]

@Nyttend: not hoping, I don't really care that the editor is tagged or not, nor whether the community has been explicitly notified. What Kevin did was fine, but, to me, superfluous. --Dirk Beetstra ^{T C} 12:50, 1 May 2018 (UTC)[reply]

OK, thank you. Nyttend (talk) 13:02, 1 May 2018 (UTC)[reply]

Yeah, I agree with Dirk. The situations where I see this is needed is for cases where we have a user who had previously been an established member of the community, who gets blocked and then starts socking. For the tagging, it might be worth updating the sock template with a parameter. This is useful for unblocks. I might tweak the wording a bit since this hasn't caught on. I still think it's a good idea to place a notice here if say someone like DrStrauss were to be socking again, but we don't need it for trolls and people who never hit extended confirmed.​ TonyBallioni (talk) 13:37, 1 May 2018 (UTC)[reply]

Alright, I misunderstood the consensus – the wording of the policy made it seem like the ban is automatic and mandatory. Got it now. Kevin (aka L235 · t · c) 14:35, 1 May 2018 (UTC)[reply]

The ban is automatic. The paperwork, etc. is a "normally" thing, and was worded as such, because like Dirk pointed out above, we don't want to feed the trolls, etc. Like I said, as there was some comments on the RfC that the paperwork wasn't always neccesary, and we haven't started posting the notice in every case, we should probably tweak it (and I'll work on that sometime later this week )​ TonyBallioni (talk) 14:38, 1 May 2018 (UTC)[reply]

So, Tony, this sounds like it's for someone like Access Denied, whose name will be known to plenty of people who aren't sock-fighters. Is it supposed to be applied retroactively to everyone (minus those who got a community or Arbcom unblock, of course), or only to people who continue socking after the provision's created? On one hand, it might make sense to apply it to someone who was making a mess a few months ago, but on the other hand it would be a bit silly to apply it to User:WoW, the original incarnation of Willy on Wheels. Nyttend (talk) 23:36, 1 May 2018 (UTC)[reply]

@Nyttend: LOL. WoW! That will certainly get the conversation moving-- on wheels!--Dlohcierekim (talk) 09:43, 3 May 2018 (UTC)[reply]

• As an SPI clerk (this seems to fall in our purview) we add sock tags unless there's some reason not to, but sockmasters are tagged pretty consistently. We could modify the {{sockpuppeteer}} template with a switch something like banned=yes or threestrikes=yes or checked=ban that would make the template say something like "This user is banned by the community because CheckUser evidence confirms the operator has repeatedly abused multiple accounts" in place of the checked=yes messaging. Also, as a clerk, if I find a tag that has been placed inappropriately I just fix it or remove it, and there are a few users I've asked not to do it because they've been making a lot of errors or using them abusively, but not that many. But if we are going to create or use a second template for this purpose, it's important that if there's a {{sockpuppeteer}} tag on the page already, it shouldn't be removed, just add {{banned user}} underneath if that's what we decide to do. Ivanvector (^Talk/_Edits) 13:49, 4 May 2018 (UTC)[reply]

Ivanvector: I think the parameter option makes the most sense, and meant to start a conversation about that after the change went through. It might be worth updating the wording of the policy page to be something re: notification at AN to read something like A notice should normally be placed at AN if the user had substantial good faith contributions before being blocked. as this seems to get at the intent there. TonyBallioni (talk) 13:55, 4 May 2018 (UTC)[reply]

We have a motherload of pages listed in Category:G13 eligible AfC submissions that are eligible for G13 deletion. I'm not seeing it in Category:Administrative backlog yet, but I've gone through and tagged some of them and there's many more if someone wants to swing by and clean some of them out. Thanks. Home Lander (talk) 21:12, 1 May 2018 (UTC)[reply]

Empty. Feel free to one-click this. Primefac (talk) 11:48, 2 May 2018 (UTC)[reply]

@Primefac: Not so fast - there's 307 pages listed at the moment. Home Lander (talk) 14:13, 2 May 2018 (UTC)[reply]

My apologies, I misread and thought you were talking about Category:Candidates for speedy deletion as abandoned drafts or AfC submissions. For what it's worth, G13-eligible pages are not necessarily summarily deleted, they still require someone to nominate them (usually User:HasteurBot). There are some users who find "diamonds" in these pages, and so there's no reason to summarily d-batch the entire cat (otherwise we'd just have it happen automatically). Primefac (talk) 14:19, 2 May 2018 (UTC)[reply]

In other words, it is not (and will never be) part of the administrative backlog. Primefac (talk) 14:20, 2 May 2018 (UTC)[reply]

@Primefac: Yeah, I bring up a batch of pages at a time and have a quick look to see if there's anything that looks really good. Unfortunately many of them simply consist of the unsubmitted draft template followed by an empty reference section. Incidentally, there's a tag at the top of the category page that I had overlooked stating that it will put the page in Category:Wikipedia backlog if more than 500 items are pending. Home Lander (talk) 03:25, 3 May 2018 (UTC)[reply]

Huh. Colour me surprised. Primefac (talk) 15:26, 4 May 2018 (UTC)[reply]

I almost commented to that effect, but you did say administrative backlog ~ Amory (u • t • c) 15:39, 4 May 2018 (UTC)[reply]

Which is still true, I suppose, but I probably shouldn't un-strike my text, since my I too missed the {{backlog}} at the top of the cat and that was more of the point. Primefac (talk) 15:46, 4 May 2018 (UTC)[reply]

Tue bot only nominates AfC pages. When I looked a few hours ago there were over 400 non-AfC pages to tag. User:MusikBot/StaleDrafts/Report Legacypac (talk) 17:02, 4 May 2018 (UTC)[reply]

Special:Contributions/Ichabbie396. Do we have an LTA page for it?--Dlohcierekim (talk) 03:17, 2 May 2018 (UTC)[reply]

It's Wikipedia:Sockpuppet investigations/Angela Criss. No LTA page that I'm aware of, and I'd consider it a WP:DENY case. Ivanvector (^Talk/_Edits) 14:03, 4 May 2018 (UTC)[reply]

I'm starting to see entries at Category:Candidates for speedy deletion that I don't understand why they're on there. There doesn't seem to be anything in the entry histories that indicate they were tagged for CSD

User:CAPTAIN RAJU/AFD

Wikipedia:Articles for deletion/Log/2018 May 2

Wikipedia:Articles for deletion/Log/Today

User:Wcquidditch/wikideletiontoday

There might be others. But these jumped out at me for not having been nominated for deletion, but appearing on the list. — Maile (talk) 20:05, 2 May 2018 (UTC)[reply]

They were transcluding one or more pages that were themselves nominated for deletion. It gets cleared once the transcluded page is handled one way or another, and the host page is recached. Someguy1221 (talk) 20:13, 2 May 2018 (UTC)[reply]

I see. Thank you for the clarification. — Maile (talk) 20:14, 2 May 2018 (UTC)[reply]

Just for completion's sake, it was Wikipedia:Articles for deletion/Hugo (software) (2nd nomination), deleted under G7. ~ Amory (u • t • c) 20:36, 2 May 2018 (UTC)[reply]

By the way, Maile66, this is a function of the Job queue. If a page is added to a category indirectly because the category is part of a transclusion, the category does not get removed immediately when the template is removed: the page has to be edited first. Not an issue if someone edits the page to remove the transclusion, but if it's removed indirectly (say it's added by a template on a transcluded page, and the template's removed from the transcluded page), or when the transcluded page is deleted, you have to wait for the job queue to catch up. Nyttend (talk) 03:13, 3 May 2018 (UTC)[reply]

Probably thousands of pages are affected, every transclusion of {{Disambiguation}} is impacted by vandalism of nested {{Disambiguation page short description}}, which itself is a new thing. I've reverted the vandalism. I don't have my admin tools anymore but IMO at least a VOA-block of Delpmart and some protection of {{Disambiguation page short description}} seems warranted, and then y'all can discuss the need for this subtemplate and/or why this was left vulnerable (I thought template-protection was supposed to cascade down to transcluded subtemplates but maybe I'm wrong). Ben · Salvidrim! ✉ 05:19, 3 May 2018 (UTC)[reply]

I'm heading to bed so I've no time to continue edit-warring with some shitty vandal, hopefully some admin will attend to this regardless of the idiot deleting this thread. Ben · Salvidrim! ✉ 05:22, 3 May 2018 (UTC)[reply]

I've protected {{Disambiguation page short description}}, and blocked the vandal. Someone more knowledgeable should take a look at the necessity of this newly-created template. utcursch | talk 05:23, 3 May 2018 (UTC)[reply]

Relevant thread (which I haven't read yet): Template talk:Disambiguation#Related templates Ben · Salvidrim! ✉ 05:30, 3 May 2018 (UTC)[reply]

Thanks utcursch, Salvidrim!. The template is part of Wikipedia:WikiProject Short descriptions campaign to populate mainspace pages with Wikipedia:short descriptions to avoid WMF using inappropriate or poor quality descriptions from Wikidata in search results. Precursory saga described at project page through links. Basically forced on us by WMF. Cheers, · · · Peter (Southwood) ^(talk): 06:40, 3 May 2018 (UTC)[reply]

The image File:Asshole hat.jpg that was used in the vandalism above is still showing transclusions onto well over 500 pages. I've put in a request to have the image blacklisted but many pages may still need to be purged. I've loaded several but it's not showing on any so far. Home Lander (talk) 16:51, 3 May 2018 (UTC)[reply]

Please note that receiving one of these notifications does not mean your account was actually compromised or hacked. You may want to review WP:STRONGPASS and WP:SECURITY to ensure you are doing all you can to protect your account, but you do not necessarily need to reset your password. Beeblebrox (talk) 20:53, 3 May 2018 (UTC)[reply]

Can you please find out who tried to break into my account? It worries me. I want to see if it was someone in my area or other. Alex of Canada (talk) 17:35, 3 May 2018 (UTC)[reply]

@Alex of Canada: Someone tried three times several hours ago to get into mine. It happens; as long as you have a secure password you should be fine. Home Lander (talk) 17:40, 3 May 2018 (UTC)[reply]

This just happened to me, too. It's not unusual, I get one or two a month, and about once a year, someone makes a whole lot of login attempts. Make sure you have a unique password for Wikipedia. Use a password manager if you don't already. Use multi-factor authentication. Consider changing your password if you are worried (or especially if it wasn't unique). I already have these set up on my account so I just ignore the warnings when they come in. You asked to find out who tried to break into your account. That information is not generally available, I'm afraid. --Yamla (talk) 17:41, 3 May 2018 (UTC)[reply]

My password is secure, but I'm worried it might be a hacker who will find out how to get into anyone eventually. Alex of Canada (talk) 17:48, 3 May 2018 (UTC)[reply]

Best case is to use a unique password here (so if they figure out who you are, can't get into anything else, such as your email) and set up extra measures. A WP:Committed identity would be a good start. Home Lander (talk) 17:53, 3 May 2018 (UTC)[reply]

That might be a legitimate worry, but it existed before some person or bot tried to brute-force some Wikipedia accounts. Hacking without guessing the password is a whole different proposition. Related stuff at Wikipedia:Village pump (technical)#two-factor authorization and User talk:Winkelvi#Compromised account attempt. ―Mandruss ☎ 17:54, 3 May 2018 (UTC)[reply]

Related discussion at VPT (permalink) with some more detailed information. Seems there's a rash of this today. ~ Amory (u • t • c) 18:04, 3 May 2018 (UTC)[reply]

Yep. Two threads at the teahouse on this same subject. Beeblebrox (talk) 18:37, 3 May 2018 (UTC)[reply]

Just tried and failed with mine. --SarekOfVulcan (talk) 18:43, 3 May 2018 (UTC)[reply]

Recommend that all admins set up 2-factor auth. Andrevan@ 18:49, 3 May 2018 (UTC)[reply]

Everyone reviewing WP:STRONGPASS and WP:SECURITY couldn’t hurt either. Beeblebrox (talk) 18:50, 3 May 2018 (UTC)[reply]

Me, too (in case anyone is keeping track of admin v non-admin attempts). SandyGeorgia (Talk) 18:59, 3 May 2018 (UTC)[reply]

Me too. I already asked a question at WP:Village pump (technical)#two-factor authorization. Martinevans123 (talk) 19:02, 3 May 2018 (UTC)[reply]

I had this today as well, but I have break-in attempts on a regular basis, with a record of several hundreds per day (not today though).--Ymblanter (talk) 19:15, 3 May 2018 (UTC)[reply]

They must like you. Martinevans123 (talk) 19:21, 3 May 2018 (UTC)[reply]

Got an attempt today as well. SQL^{Query me!} 19:20, 3 May 2018 (UTC)[reply]

Me as well. Question I should probably know the answer to: can a functionary look up the IP addresses behind these bogus login attempts and implement a technical restriction? Ivanvector (^Talk/_Edits) 19:22, 3 May 2018 (UTC)[reply]

Technically, yes. Whether it is allowed by the policy I do not know.--Ymblanter (talk) 19:43, 3 May 2018 (UTC)[reply]

Well, if there's a way to determine that an IP is being used for abusive login attempts, autoblocking that IP for 24 hours is probably a good security practice. Wouldn't stop them hacking an account probably but then at least they wouldn't be able to edit. If our policies don't support that then we should change our policies. Ivanvector (^Talk/_Edits) 19:55, 3 May 2018 (UTC)[reply]

Me too. Natureium (talk) 19:39, 3 May 2018 (UTC)[reply]

First Thursday of every May. Coincidence, perhaps. --NeilN ^{talk to me} 19:18, 3 May 2018 (UTC)[reply]

I'm probably the only editor right now that hasn't had attempted account hacks ...... Not sure if that's a good sign or a bad one lol. –Davey2010^Talk 19:32, 3 May 2018 (UTC) Inevitable happened. –Davey2010^Talk 22:25, 3 May 2018 (UTC)[reply]

Me too, Davey! --Malcolmxl5 (talk) 21:24, 3 May 2018 (UTC)[reply]

• I readily admit I am not the most experienced CU, but I am unaware of how we could look up who attempted and failed at logging in. I’ll ask for further input though in case it’s just something I don’t know about. Beeblebrox (talk) 19:50, 3 May 2018 (UTC)[reply]

Good point. So all we need to do is all simultaneously set our passwords to "password* for five minutes and simply track 'em down!!? Martinevans123 (talk) 19:56, 3 May 2018 (UTC)[reply]

Yeah, it would take far more access (database?) to determine where this is coming from. If that information is even stored. If this isn't a bot driven thing (which it probably is), then a limiter on logins per IP would be nice as well. Arkon (talk) 20:03, 3 May 2018 (UTC)[reply]

• I’ve gotten some response form the other functionaries about this, here’s what we’ve got:

• Currently, CU cannot do this
• There is a phabricator thread about notifying the user of the ip of whoever tried to log into their account. It is approved and being worked on but not functional yet
• There is some indication that this is a specifc banned user already familiar to some of the functionaries so it is possible some action will be forthcoming but I’m not sure wat it will be.

Beeblebrox (talk) 20:24, 3 May 2018 (UTC)[reply]

@Beeblebrox: There is a way to check it, but it's on Toolforge. The people that have access to it aren't functionaries but more devs I think. There'sNoTime knows more about it. Dat Guy^Talk_Contribs 09:00, 4 May 2018 (UTC)[reply]

• Apparently there have been tens of thousands of failed login attempts over the past few hours. Check this out for some idea of the scope. The back office is aware of this and we cn expect a statement from them in the near future. Beeblebrox (talk) 20:33, 3 May 2018 (UTC)[reply]

Thanks for clarifying. Martinevans123 (talk) 20:44, 3 May 2018 (UTC)[reply]

• Interesting. I got one of those failed login attempt messages too. I changed my password to something stronger and thought nothing else of it until now. – Muboshgu (talk) 20:36, 3 May 2018 (UTC)[reply]

• I just got a notification that somebody get into mine too.--Crasstun (talk | contributions) 20:44, 3 May 2018 (UTC)[reply]
• Me too, and User:SPECIFICO. We were also both targeted at Wikipedia yesterday by the same editor, but no idea if there's any connection. That editor also knows my anon Facebook and Twitter accounts. Strange. -- BullRangifer (talk) PingMe 20:52, 3 May 2018 (UTC)[reply]

User:BullRangifer You posted it here on WP when you were talking with some IP who then posted it on my talk page because he saw me arguing with you. Someone tried to access my WP account too. Factchecker_atyourservice 02:05, 4 May 2018 (UTC)[reply]

Thanks for clearing that up. Let's make sure it doesn't spread. I'll seek a revdel. -- BullRangifer (talk) PingMe 03:18, 4 May 2018 (UTC)[reply]

• Happened to me this morning. In a way i'm glad it is not an isolated incident.--SamHolt6 (talk) 21:14, 3 May 2018 (UTC)[reply]
• It happened to me too at 14:12 UTC today too. L293D (☎ • ✎) 21:32, 3 May 2018 (UTC)[reply]
• You may add me to the list of failed hack targets. I have 2FA enabled so I am not overly concerned about my account security. But I am very concerned about what looks like an orchestrated attack on the project. -Ad Orientem (talk) 22:03, 3 May 2018 (UTC)[reply]
• For what it's worth, someone (the same person?) tried to break into my account just a few hours ago. Adam9007 (talk) 22:07, 3 May 2018 (UTC)[reply]

+1 - I felt like the odd one out so kinda glad someone attempted it , Jokes aside why is there a huge influx of password resettings ? ... It doesn't seem all that productive .... –Davey2010^Talk 22:25, 3 May 2018 (UTC)[reply]

• Happened to me 7 hours ago. Silly culprit; if he was targetting editors with any care, Davey2010 and other big-name users here should have been higher on his priority list than me. No one's ever bothered to try to hack my account before. Sideways713 (talk) 22:48, 3 May 2018 (UTC)[reply]
• I got that notification as well, 2 hours ago. theinstantmatrix (talk) 22:57, 3 May 2018 (UTC)[reply]

Same here, a few hours ago. GoodDay (talk) 23:26, 3 May 2018 (UTC)[reply]

• Could this be related to today being World Password Day? ^Falling_Gravity 23:39, 3 May 2018 (UTC)[reply]

• Read up above - I heavily doubt it, since the perpetrator is apparently known to the WMF. As an aside, they tried me as well, but my password's only been strengthened since I was an admin, so they didn't get far. —Jeremy v^_^v ^Bori! 23:47, 3 May 2018 (UTC)[reply]

Me too, although I'm pretty sure who tried doing it... Am i famous now?💵Money💵emoji💵^Talk 23:46, 3 May 2018 (UTC)[reply]

• For the first time ever, I received notification that someone had tried to log into my account today. I am not an admin. This needs to be investigated.Smeat75 (talk) 00:09, 4 May 2018 (UTC)[reply]

• Read the thread above. I'm fairly certain the WMF is already on it. —Jeremy v^_^v ^Bori! 00:11, 4 May 2018 (UTC)[reply]

• Russians? ^{[FBDB] Atsme📞📧} 02:11, 4 May 2018 (UTC)[reply]

I was waiting for someone to say the Russians :) GoodDay (talk) 02:17, 4 May 2018 (UTC)[reply]

• Me too. (And yes, I have two-factor authentication.) Heimstern Läufer (talk) 12:41, 4 May 2018 (UTC)[reply]

According to this graph of the Wikimedia User Login Attempts, this account hacking attempt has resumed today and is still continuing, as of this writing. There are a lot more "Throttled logins" today than in yesterday's attacks, which now appears to comprise the vast majority of the latest attack wave. (And yes, this LTA/hacker took a swipe at my account yesterday and a couple more times today.) This is getting ridiculous. LightandDark2000 (talk) 23:30, 4 May 2018 (UTC)[reply]

I suspect this attack may have something to do with the recent Twitter password leak [10]. Is it possible that someone has got a copy of this "internal log" and has now got a botnet trying to find Wikipedia accounts that match the Twitter ones? (Yes, I got an attempt against my account too, and no, the other QuietOwl on Twitter is not me, I don't use this username anywhere else, or any social networking site, for that matter.) QuietOwl (talk) 02:48, 5 May 2018 (UTC)[reply]

Okay, this time, the next attack wave is longer than the first one, and it's still ongoing right now. This can't be a good sign. LightandDark2000 (talk) 06:34, 5 May 2018 (UTC)[reply]

I've added a picture of the graph depicting the mass-cyberattack attempts. I estimate that at least 400,000 accounts may have experienced some attempt to break in. It should be noted that this is the largest account-hacking attempt that Wikimedia has experienced at least in the last 5 years (possibly the largest such attack ever). I also noticed today that the attacks seemed to have stopped. I wonder what happened to the hacker. What's keeping him? ;) LightandDark2000 (talk) 06:22, 6 May 2018 (UTC)[reply]

Today, only 30 minutes ago, someone (probably the same hacker) tried to break into my account 3 more times. I guess it must have something with me uploading the picture. Though I already hardened my password 2 more times, so it won't really help them at all. What in the hell is wrong with this person? The WMF seriously needs to block the access for the IP network responsible; at least Globally Rangeblock the IP if it will help. LightandDark2000 (talk) 19:56, 6 May 2018 (UTC)[reply]

Oh, God, they're doing it again! This time the attacks are almost entirely "login throttles". Seriously? Someone needs to block off the IP network hosting the attacks, or at least add in some new firewall rules to Wikimedia Foundation computers if this is some kind of offline attack. LightandDark2000 (talk) 10:40, 7 May 2018 (UTC)[reply]

What does "login throttled" mean? Natureium (talk) 16:48, 7 May 2018 (UTC)[reply]

I have same problem. Someone is trying to hack my account Lado85 (talk) 08:24, 8 May 2018 (UTC)[reply]

I have a suggestion (i am not an admin but thought i'd comment). My account hasn't been targeted (yet), but if it ever does, they won't get very far, my password is not even a word or phrase maybe others should follow suit with their password being a "random" combination of letters and numbers. Lavalizard101 (talk) 11:39, 8 May 2018 (UTC)[reply]

As an additional security measure, admins and editors with similar permissions can (and should) use Special:Two-factor authentication to prevent account hijacking. Sandstein 21:51, 3 May 2018 (UTC)[reply]

• (edit conflict)I would gladly use 2FA (and I was also the subject of a hack attempt) if the code was emailed, in addition to (or instead of) being sent to a mobile number. We have a cell phone but it's usually off, but my email is generally available. I may not be the only admin in a similar situation. Miniapolis 22:51, 3 May 2018 (UTC)[reply]
  • The code is not send to the mobile phone, it's locally generated (based on time and a secret key) by an app on the phone. I don't know if it works for your use case, but you don't need to have the phone on (except for the very moment of login) or even online. --Stephan Schulz (talk) 18:51, 7 May 2018 (UTC)[reply]
    • Miniapolis YMMV depending on which service you use, but authy has desktop clients for macOS and Windows as well. ~ Amory (u • t • c) 21:16, 7 May 2018 (UTC)[reply]
• I really really do not agree, Sandstein. We've had several cases of admins, including technically savvy admins, who have been in despair because they lost their whatsits — I don't remember what they're called — some magic formulas that you need for your account when you have two-factor authentication — and apparently the magic gets lost every time you get a new phone. Ouch. Eventually, after much stress, these people have been rescued through being able to e-mail people who can vouch for them because they recognize the way they talk. (Hello, Jehochman, hope your account is OK these days.) People who habitually edit from internet cafes or library computers, or who have a mischievous twelve-year-old or a hard-drinking sister-in-law around the house, may possibly need the system, but everybody else had much better instead get a really strong password and not use that password anywhere else. In my opinion. Bishonen | talk 22:57, 3 May 2018 (UTC). (PS: And yes, I've had the attempts today and so has Bishzilla. Considering the numbers of people who have, I find it hard to believe WWII editors have been singled out.) Bishonen | talk 23:02, 3 May 2018 (UTC).[reply]

You're both right, to some degree. Bish, the magic you're thinking of is a scratch code (I'm not sure if that's what our implementation calls it) and it is just a plain text code that you're supposed to keep somewhere safe, so that if you do lose your authentication device (i.e. get a new phone) then you can use that code to reset your 2FA and re-implement it on your new device. If you lose your password AND your device AND those codes AND nobody can vouch for you, then yeah, you're fucked, but that's a lot of concurrent failures. If I remember right, when you enable 2FA here the codes you need are all displayed on the screen (you scan a QR code and the scratch codes are plain text), not sent by text or emailed or whatever. Maybe that depends on what authenticator you use. Ivanvector (^Talk/_Edits) 23:07, 3 May 2018 (UTC)[reply]

• <<ec>>What Bishonen said. Every time I read the instructions my blood runs cold. With the two factor authentication I have w/ my bank and emails, there is a backup and authentication involves sending a request to my phone. The process here sounds dangerously complicated, and the grater risk is that I lose my whatsit.--Dlohcierekim (talk) 23:09, 3 May 2018 (UTC)[reply]

Is it true that once you do this there's no going back? I don't want to do something irrevocable. And I have a strong password.--Dlohcierekim (talk)

No, not at all, you can turn it off any time as long as you have access to your account. I get that we're still calling it "beta", but I turned it on the day my RfA closed, and I've never had a problem. Ivanvector (^Talk/_Edits) 23:22, 3 May 2018 (UTC)[reply]

Blood-chillingly complicated is right, Dlohcierekim. And it sounds to me like the whole log-in operation, otherwise so smooth, gets much more fiddly with 2FA, every time you do it. That's quite a problem for people with a lot of socks![11] Bishonen | talk 23:30, 3 May 2018 (UTC).[reply]

Not by much, no, there's one extra step. The squirrel still gets in just fine. Ivanvector (^Talk/_Edits) 23:49, 3 May 2018 (UTC)[reply]

• I use Authy (authy dot com) for my 2FA here. It allows one to use multiple devices as well as back up the seed. There is a slight security hit since more than one device can be used but for me it is worth it to remove the single point of failure. Jbh ^Talk 23:45, 3 May 2018 (UTC)[reply]
• I have to say I was intimidated by it at first as I am not super technically minded but once it is set up it is remarkably easy to use, and I made sure I have those scratch codes in a safe place in case I ever need them. Beeblebrox (talk) 00:19, 4 May 2018 (UTC)[reply]
• I actually am a techie person, but I do agree that the instructions and setup appear intimidating. But once it is set up, 2FA really is easy to use. Enter your password as usual, then it asks for a number. Open the app on your phone/tablet/whatever, and it displays a number. Type in that number. And as long as you do remember to record the original scratch codes somewhere, the whole thing can always be reset in the event of a disaster. As for login attempts, I've had one rather than the multiple attempts that many are getting - presumably it stopped at the first 2FA challenge. Boing! said Zebedee (talk) 08:55, 4 May 2018 (UTC)[reply]
• I use 2FA, but as someone who seems to drop or otherwise break their phone at least once per year, I agree with others that the way 2FA works is a royal pain in the neck. If I'm unable to access my old device, I have to (a) find where I wrote down the scratch codes (b) use one to login & disable 2FA (c) re-enable 2FA with the new device and (d - and this is the worst bit) write down a whole new set of scratch codes. If you've lost your scratch codes, you are basically screwed and are looking at registering a new account and convincing anyone who will listen that the two are connected. Committed identity helps with this - but of course you have to be able to find the file you used to create it. Things that would help with this situation are (a) only generate a new set of scratch codes when a user requests it or when the last one is used, not every time 2FA is enabled, so that at least you don't have to write down a whole new set every time you use one and (b) have some back up way of resetting authentication on the account. The latter would involve the WMF holding some way of getting in touch with you or proving your identity. I guess for people who have identified to the WMF this is already possible; otherwise, of all the websites I use, enwiki is the one where it is hardest to recover your account - and it seems it is often impossible. I thought there was a phab ticket to improve this situation, but I can't find it just now (fun diversion: try searching '2FA' on phab and you'll see how many people have difficulties with it - it seems that at least sometimes it is possible to convince the devs to twiddle bits). GoldenRing (talk) 11:20, 4 May 2018 (UTC)[reply]

• Two factor authentication, as implemented on Wikipedia, is farkakt. Jehochman ^Talk 18:12, 4 May 2018 (UTC)[reply]

  gesundheit--Dlohcierekim (talk)

• Regarding losing scratch codes - does no one else use a cloud storage or cloud backup service? --NeilN ^{talk to me} 20:08, 4 May 2018 (UTC)[reply]

  negative. I consider nothing in the cloud or otherwise online secure.--Dlohcierekim (talk) 20:09, 4 May 2018 (UTC)[reply]

• @Dlohcierekim: Sigh. ^{[citation needed]}... --NeilN ^{talk to me} 20:14, 4 May 2018 (UTC)[reply]

Psssst, Neil...be careful not to use too many *sighs* ^{[FBDB] Atsme📞📧} 20:38, 4 May 2018 (UTC) [reply]

Hidden Tempo? Is that like a Ford Tempo but with a quieter engine? Martinevans123 (talk) 08:21, 5 May 2018 (UTC)[reply]

Just so you know, not everyone agrees that 2FA is a magic bullet.

https://www.economist.com/blogs/economist-explains/2017/09/economist-explains-9

https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html

https://krebsonsecurity.com/2016/09/the-limits-of-sms-for-2-factor-authentication/

https://www.theverge.com/2017/7/10/15946642/two-factor-authentication-online-security-mess

I'm just saying. --Guy Macon (talk) 20:03, 4 May 2018 (UTC)[reply]

• Just as a reminder, users with advanced permissions are required by WP:STRONGPASS to have a strong password anyway. 2FA is just another option to strengthen account security. Beeblebrox (talk) 20:08, 4 May 2018 (UTC)[reply]

  @Beeblebrox: Personally, I don't understand why the (not particularly strict, IMHO) requirements for privileged users don't apply to all users. Nearly every insignificant forum on the web has stricter password requirements than Wikipedia, for heaven's sake! Gestumblindi (talk) 14:26, 5 May 2018 (UTC)[reply]

@Gestumblindi: The reason is simple: consensus was against it when the policy was developed. The reasoning was that it might discourage new users. Beeblebrox (talk) 18:14, 5 May 2018 (UTC)[reply]

@Beeblebrox: I remember, but consensus might change. Maybe it's now the time for proposing slightly stricter requirements more similar to those customary anywhere else on the web? I don't get the "it might discourage new users" reasoning - after all, people should be well accustomed to having to use reasonably strong passwords by now. As it is, the password requirements for regular users are extremely and most unusually low, and the requirements for admins are still rather below standard. Gestumblindi (talk) 18:31, 5 May 2018 (UTC)[reply]

• Hopefully 20 bytes is enough.--Dlohcierekim (talk) 00:58, 5 May 2018 (UTC)[reply]

20 characters is almost certainly enough. A password that meets the requirements set forth in STRONGPASS (8 characters) will be broken by an offline password-guessing program in under a minute.[12][13][14][15][16] --Guy Macon (talk) 01:33, 5 May 2018 (UTC)[reply]

• It should be noted that most of those articles are about 2FA using SMS codes, or using such SMS codes as backups for the type of 2FA we have. Neither of which we do for that exact reason. Which is also the reason you are so screwed on this site if you loose your scratch codes AND your phone. However I agree that having a 20 character password that you only use on en.wp is probably more important than having 2FA. But I use 2FA on ALL my accounts wherever I can, and because i use it for so many services, it has stopped being bothersome. —TheDJ (talk • contribs) 09:11, 5 May 2018 (UTC)[reply]
• Yup. Make sure it passes the dictionary attack though. rhin0cer0usstransgal4cticdifferential is easier to remember and just as good as 25 characters of random gibberish. ^{cinco de} L3X1 ◊distænt write◊ 13:13, 5 May 2018 (UTC)[reply]
  • The passphrase Rhinoceros transgalactic differential. (with the initial capitalization and the ending period) is stronger still. Even better would be "My rhinoceros has a transgalactic differential." -- harder for a computer to crack and easier for a human to remember; just remember that it is a valid sentence using standard English spelling and grammar. Replacing o with 0, a with 4, etc. just makes it harder to remember without adding much in the way of difficulty for a password guessing program. --Guy Macon (talk) 20:26, 5 May 2018 (UTC)[reply]

Source on that. The few times I've had to turn my previous laptop into a wireless router (long story), the password was something like "screwoffyoucommiespybastardsthisismygoddamnwifi" or similar full sentences.

Now, it still needs to be multiple words, because single words are not a problem for dictionary attacks. Ian.thomson (talk) 20:55, 5 May 2018 (UTC)[reply]

User:Guy Macon: Re A password that meets the requirements set forth in STRONGPASS (8 characters) will be broken by an offline password-guessing program in under a minute. - Does WikiMedia not have, or could they not develop, a system where three (or so) failed attempts to log in to an account, lock the account? For a comparable example, if someone tries to use an ATM card and puts in an incorrect code three times, on the third try the ATM will eat the card. Couldn't WikiMedia have some way of locking an account after three (or X number to be decided) failed attempts at entering the password? --MelanieN (talk) 01:31, 6 May 2018 (UTC)[reply]

• So you first lock all the admin accounts, then you go vandalize at will. This would work well. Remember, everything can be gamed, and this plan is game-able in two seconds flat. The reason teh ATM example works is because someone already has your card. Courcelles (talk) 01:36, 6 May 2018 (UTC)[reply]

  Actually, I am pretty sure the number of attempts per minute is limited (and not to 10^10), but I do not remember where I have seen this and what the number actually is.--Ymblanter (talk) 07:13, 6 May 2018 (UTC)[reply]

I think there is some form of rate limiting although I don't know the details. I'd note a system which completely locks an account after 3 tries requiring some sort of reset is open to abuse since it means people who want to annoy an editor can keep locking their account. Nil Einne (talk) 16:40, 6 May 2018 (UTC)[reply]

(If the following is too long for you, just read https://xkcd.com/936/ and https://xkcd.com/538/ ).

Every time I have looked into the nuts and bolts of how the WMF does security, it has always, without fail, turned out that they do it right, so I am not even going to bother finding out how they stop an attacker from either making millions of guesses per second or being able to lock out an admin by trying to make millions of guesses per second. Clearly the WMF developers read the same research papers that I do.

That being said, as explained at Kerckhoffs's principle#Modern-day twist, while doing things like rate limiting are Very Good Things, we are not to rely on them. We are to assume that the attacker knows every byte of information on the WMF servers (and in fact the attacker may actually be someone who has knows every byte of information on the WMF servers -- If a nation-state offered a key WMF employee millions of dollars if he complied and made a credible threat to torture and kill his family if he didn't, there is a 99%+ chance that they would end up knowing every byte of information on the WMF servers.)

The WMF does not store your passphrase anywhere. When you enter it it a cryptographic hash is performed and the result compared with a stored hash. This means that an attacker who knows every byte of information on the WMF servers can perform a high-speed offline passphrase-guessing attack, but cannot simply look up your passphrase and use it to log on. So according to Kerckhoffs's principle, you should choose a passphrase that is easy to remember and hard for a high-speed offline passphrase-guessing program to guess. I will call that that "Macon's principle" so that I don't have to type "choose a passphrase that is easy to remember and hard for a high-speed offline passphrase-guessing program to guess" again and again.

Bad ways to follow Macon's principle

• Passwords instead of passphrases (single words instead of strings of words with spaces between them).
• Random gibberish.
• Short passwords or passphrases. 8 is awful, 16 is marginal, 24 is pretty good, 32 is so good that there is no real point going longer.
• Character substitutions (Example: ch4r4ct3r sub5t|tut10ns)

Good ways to follow Macon's principle

• Use a standard English sentence with proper grammar, spelling, and punctuation.
• Make it longer than 32 characters and have it contain at least three (four is better) longish words plus whatever short words are needed to make it grammatically correct.
• Make sure that sentence has never been entered anywhere on your hard drive (including deleted files) or on the internet. "My Hovercraft Is Full of Eels" is bad because a dictionary that contains every phase used in Monty Python's Flying Circus would find it.[17]
• Make it meaningful, easy to remember, and something that generates a strong mental image.
• Make it meaningful to you, but unguessable by others (don't use your favorite team, first kiss, mother's maiden name, etc.)

An example of a good passphrase that follow Macon's principle would be:

 Sherwood painted his Subaru pink so that it would blend in with his flamingos.

(This assumes that you actually know someone named Sherwood and that he owns a non-pink Subaru. Replace with a name/car from among your acquaintances)

That's 78 characters that nobody in the history of the earth has ever put together in that order until I just wrote it. Typos really stand out (Sherwood paibted his Subaru pink so that it would blend in with the Flamingos) and are easy to correct. The sun will burn out long before the fastest possible passphrase-guessing program completes 0.01% of its search. And yet it would be far easier to remember than the far easier (for a computer) to guess BgJ#XSzk=?sbF@ZT would be. --Guy Macon (talk) 18:16, 6 May 2018 (UTC)[reply]

I feel there is some confusion in this thread around password security I'd like to clear up:

• re MelanieN: Guy Macon is referring to an "offline" attack, which is a fancy way of saying how long it would take if the attackers found a way to bypass all rate limiting and had a copy of the password file from WMF's servers. In an "online" attack (When somebody tries to login via Special:userlogin many time), rate limiting does come into play. Currently the rate limit is set to at most 50 in five minutes (Which honestly, is a little on the high side for a short term limit), and no more than 150 tries in a 2 day period. Long before the hard limit comes into play, there is a soft limit where people need to enter a captcha in order to continue logging in. Of course we also record whenever their is a failed login and may take manual action if it appears an attack is happening.
• re WP:STRONGPASS - the requirement for admin passwords enforced by the system is a minimum requirement, largely aimed (at least in my opinion) to prevent an online attack. People are of course encouraged to use even stronger passwords. The passphrase method Guy Macon mentions is one good way of generating strong passwords. Another popular method is to use a password manager to manage your random passwords for you. In addition to using a strong password, it is vitally important to use a unique password. It is much more common for attackers to get your password from other websites than it is for them to brute-force it.
• re 8 character random password cracked in minutes. I don't think that calculation is correct. If we assume a random 8 character password (And I mean truly random, e.g. generated via dice or a password manager, not randomly chosen by a human as humans are terrible at randomly choosing a password), that's about 4048 bits of entropy. Based on [18] we have about 2301200000 hashes/sec and we're using 128000 rounds PBKDF-sha256. 2^(6*8)*128000/23012100000 ≈ 1565645769 seconds = 49 years. That said, longer passwords are much better, and most people are very bad at picking random passwords. Of course, if your 8 character password is '12345678' it will be cracked in milliseconds. In any case, I'd still highly highly recommend a password longer than 8 characters. BWolff (WMF) (talk) 21:09, 6 May 2018 (UTC)[reply]

  My first password was the name of a fictional place. The, a number, then a combination. Now its a 15+ keystroke monster that requires hints. So far, I've stayed ahead in this Red-Queen's race.--Dlohcierekim (talk) 22:29, 6 May 2018 (UTC)[reply]

• No, and I don't care what anybody else thinks. "Use a standard English sentence with proper grammar, spelling, and punctuation." assumes there is a "standard English". English spelling, phrases and punctuation tends to vary by country, and often by personal background. Also, not everybody participating on English Wikipedia has English as a first-language. And God forbid anybody's account gets compromised, and they have to not panic long enough to type out the sentence. Not everybody has the same abilities, either technological or mental. I personally have encountered users (plural) who have motor skill limitations, and/or physical limitations, that would make this difficult on them. Not all users have the same level skill or abilities at anything. Please do not make it worse for people struggling already. — Maile (talk) 21:27, 6 May 2018 (UTC)[reply]

• I believe that you missed the point. Use what you consider to be a standard English sentence with proper grammar, spelling, and punctuation. If, you, overuse, commas, and, kant, spel, that's fine as long as you do it the same way every time. And if you are better at Spanish, use what you consider to be a standard Spanish sentence with proper grammar, spelling, and punctuation. If you are handicapped in such a way that you cannot type the same thing every time, sorry, but you are hosed on any system that requires a username or password. My advice also doesn't work if you are in a coma or are Amish and not allowed to use a computer. None of this applies to the discussion at hand, which is advising administrators on the English Wikipedia regarding passphrases. None of them are unable to type a standard English sentence the same way every time. --Guy Macon (talk) 07:21, 8 May 2018 (UTC)[reply]

The advice to use standard English is usually meant as Don't use abbreviations or misspellings in your password because that doesn't make your password any harder to break. If you are using the, "use a long sentence as a passphrase method", you should spell out your long sentence in whatever way you normally write. The downside to the long sentence method is that it can be difficult to enter such a long thing into a password box (even if you don't have motor skill/physical limitations, but obviously its much harder for people who do have such limitations). For people who have difficulty entering long passwords, probably the best approach is to use a password manager program, which means you don't have to enter the password at all as the program takes care of it for you. Password managers are an approach that I personally would recommend in general as being the easiest way to have a secure password. BWolff (WMF) (talk) 21:54, 6 May 2018 (UTC)[reply]

U wot, M8? Standard English ya say? That'd limit me choises, now woulden' it?--Dlohcierekim (talk) 22:33, 6 May 2018 (UTC)[reply]

I use a password manager, but I still need to remember the passphrase to get at all the other passwords in the password manager. --Guy Macon (talk) 22:37, 6 May 2018 (UTC)[reply]

No need to do the math. Steve Gibson has done it for us. See [ https://www.grc.com/haystack.htm ].

The calculation is done locally, using Javascript, so the password doesn't leave your computer. To be extra safe, try

• HZn?m+jW
• PhBixXL4
• qza7nm3g
• pgupwmxn
• 54606559

as your 8-character test password.

I just generated the above from my atomic decay true random number generator, set to chose from:

• The 95 ASCII printable characters (0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ `~!@#$%^&*()-_=+[{]}\|;:'",<.>/?)
• The 62 ASCII a-z/A-Z/0-9 characters (0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ)
• The 36 ASCII a-z/0-9 characters (0123456789abcdefghijklmnopqrstuvwxyz)
• The 26 ASCII a-z characters (abcdefghijklmnopqrstuvwxyz)
• The 10 ASCII 0-9 characters (0123456789)

BTW, an 8x Nvidia GTX 1080 system is pretty low powered for this. If you want to read the details, see [On the Economics of Offline Password Cracking - Purdue CS].

Key quotes:

"Nevertheless, our analysis suggests that even PBKDF2-SHA256 with 100,000 hash iterations is insufficient to protect a majority a user passwords [from an offline attack]"

"Bonneau and Schechter observed that in 2013, Bitcoin miners were able to perform approximately 2^75 SHA-256 hashes in exchange for bitcoin rewards worth about $257M. Correspondingly, one can estimate the cost of evaluating a SHA-256 hash to be approximately $7 x 10^-15."

Or, we can just skip the math and see what happens when we try "Sherwood painted his Subaru pink so that it would blend in with his flamingos." on the GRC calculator. The time to crack goes from 27.57 seconds to 10.05 million trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion centuries. --Guy Macon (talk) 22:37, 6 May 2018 (UTC)[reply]

I feel so inadequate, now. Mine would only take 100 trillion years!--Dlohcierekim (talk) 23:06, 6 May 2018 (UTC)[reply]

...and that's only if the attacker is really unlucky. On the average, he will be able to crack your account in a mere 50 trillion years, while I will be sitting back with my 64-character passphrase and 12 million trillion trillion trillion trillion trillion trillion trillion trillion centuries cracking time. Or until someone decides to beat it out of me...[19] --Guy Macon (talk) 08:21, 8 May 2018 (UTC)[reply]

@Guy Macon: Thanks for the link to that paper - I hadn't read it before, and their password cracking economic model is quite interesting. However, I'm unsure about the assumption that password crackers have access to ASICs similar to bitcoin miners - ASICs are very costly to develop (hundreds of millions of dollars up front cost). As far as I am aware, nobody has publicly made (let alone publicly sells) such machines, so the adversary would have to be very well funded in order to develop them. ASICs are way out of my knowledge area - but some googling also suggests that password cracking with ASICs might be difficult for a dictionary attack due to bandwidth limitations on transferring candidate passwords to the ASIC (That of course would not apply to a brute force attack), so even if an ASIC was developed its unclear it would be as useful as they are in the bitcoin case. As for the GRC calculator - its very hard to give accurate estimates of password strength as there are many factors and assumptions you have to make. First of all, since it is a generic calculator, it wouldn't take the key stretching we use at wikimedia into account. On the other hand, it was published in 2012 and password crackers have gotten faster since then (e.g. The 8x Nvidia is what I would describe as an "Offline Fast Attack Scenario", and is 10x faster than what the GRC page describes for that strategy). More importantly, that page only describes a brute force attack, where most adversaries would probably try a dictionary attack. For example, the password "dolphin" (Which by some measure is the 347'th most popular password [20]) according to GRC would take 3 months in an online attack scenario, where in reality it would fall in less than a second since its the 347th most popular. Similarly, the GRC page lists 'aaaaaaaaaaaaaaaaaaaa' as being a good password, which I would disagree with. All this however is kind of getting far afield, and I do agree with your advice that longer passwords are better and having a longer password is more important than having a complex password (unless your password is super obvious as that's not good either). BWolff (WMF) (talk) 00:28, 8 May 2018 (UTC)[reply]

Thanks! I agree with pretty much everything everything above. The GRC website also agrees (see the "IMPORTANT!!! What this calculator is NOT..." section.) I probably should have talked more about dictionary attacks. My collection of cracking dictionaries is getting big enough that I will likely have to buy a bigger drive to hold them soon. (No, I am not a malicious hacker. Some companies hire me to evaluate their security. Or at least that's the story I am telling now... :) )

Any decent dictionary attack will try "a" "aa", "aaa" up to at least 64 repetitions, and will als try "b", "bb", "bbb", etc. The good news is that if you use two words in that big cracking dictionary separated by a space, the time for an exhaustive search is squared, and with three it is cubed. The example I made up above "Sherwood painted his Subaru pink so that it would blend in with his flamingos." has 14 dictionary words. Even if the dictionary was really tiny (say, 1000 words), that's 10^42 guesses. And such a dictionary is unlikely to contain "Sherwood" (with the capitalization) "Subaru", or "flamingos." (with the trailing period).

Regarding ASICS, the zipfs paper correctly concludes "an attacker who is not willing to pay to fabricate an ASIC could obtain similar performance gains using a field programmable gate array (FPGA)". The really interesting question that the zipfs paper cannot answer is this; how much is it worth to get every password for every Wikipedia user and not have the WMF detect this for a couple of years? Is it worth more or less than the Yahoo or AshleyMadison breaches? Is it worth ordering custom ASICS? Hard to tell.

I have a couple of interesting questions for the WMF.

[1] The zipfs paper says "Many breaches (e.g., Yahoo!, LinkedIn, Dropbox) remained undetected for several years." What would happen if we suddenly found out that a couple of years back someone had cracked every Wikipedia password, from Jimbo down to the huge number of accounts that registered years ago and haven't logged on since? Obviously we tell everyone to pick a new password, but how do we know that the person doing the picking isn't an attacker? I assume that we have a plan in place for this and other unlikely disasters.

[2] Has anyone at the WMF evaluated the zipfs paper's advice about either memory hard algorithms or distributed authentication servers? --Guy Macon (talk) 08:21, 8 May 2018 (UTC)[reply]

Hello all, something is definitely afoot at the Circle K. I am seeing some reports about people who edit World War II articles having attempts made by someone to access their accounts. User:LargelyRecyclable alerted two other World War II editors of this problem [21] and just this afternoon the Wikipedia system alerted me that someone had tried to log into my account multiple times from a new location. On top of it all, there was a strange occurrence a few weeks ago, where someone impersonating an administrator called my job and asked I be "investigated" for my World War II related work on Wikipedia. User:Kierzek and I are both well known WWII editors and I wonder if others are having these experiences too. I changed my password this afternoon, I would encourage others to do the same if they are being affected by this. The most troublesome thing is that the group making mention of this are all World War II history editors, which is why I brought it up here. If for no other reason, then just to alert the powers-that-be that something is going on. -O.R.^Comms 21:43, 3 May 2018 (UTC)[reply]

I can confirm an attempt was made on mine. As mentioned on the linked discussion above, I suspect that Prüm was successfully compromised. I'm not sure when exactly it happened but some of the implications of the comments the account left at ArbCom are very worrisome. That someone called your work is also a very serious issue. This seems to be targeted and possibly related to the ArbCom case. LargelyRecyclable (talk) 21:50, 3 May 2018 (UTC)[reply]

This is probably unrelated, as it has been almost five years since I edited anything related to WW II, but I received notice of someone trying to log into my account from another computer today, and someone left a comment on my user talk page in the Arabic Wikipedia, which I have never touched. Donald Albury 21:56, 3 May 2018 (UTC)[reply]

See this thread. I don't think is World War II-related, it's someone trying to hack into a great many unrelated accounts. -- Euryalus (talk) 21:59, 3 May 2018 (UTC)[reply]

(edit conflict) There's a thread about these hijacking attempts about two sections up. It's been going on all over, all day. It doesn't appear to be targeted at any one group or subgroup that anyone can tell so far. ♠PMC♠ (talk) 22:00, 3 May 2018 (UTC)[reply]

(edit conflict)I have not had any issues, so far, but given the current atmosphere, so to speak, I am not surprised. Kierzek (talk) 22:01, 3 May 2018 (UTC)[reply]

(edit conflict) It may be a site-wide attempt and not targeted, I've seen similar concerns above. The additional facets of O.R. having his worked called specifically about WWII editing and comments made with the Prum account at ArbCom may be unrelated but I'd still advise additional caution for any editors who've done work in that area. LargelyRecyclable (talk) 22:01, 3 May 2018 (UTC)[reply]

Just notified of a failed attempt on my account. Cinderella157 (talk) 22:08, 3 May 2018 (UTC)[reply]

I also had a failed attempt, as did another member of WP:Indigenous. Other user is not an admin, both attempts failed. Checking with other admins who did not have attempts made. There may be a pattern with targeting wikiprojects and those who edit in controversial areas. Or it could be random. I lean slightly to the former, but no hard evidence yet. - CorbieV ^☊ ☼ 22:20, 3 May 2018 (UTC)[reply]

It's random. I barely edit and I just got a failed attempt. Valeince (talk) 23:04, 3 May 2018 (UTC)[reply]

Me too., and I'm not involved in any of the projects mentioned above. It seems to be some kind of wide-ranging attack. Coretheapple (talk) 23:15, 3 May 2018 (UTC)[reply]

• Yep, I had an attempt about 9hours ago. I've changed my password, which was decent, to a much stronger one. Blackmane (talk) 23:21, 3 May 2018 (UTC)[reply]

Likewise. ♦ J. Johnson (JJ) (talk) 23:22, 3 May 2018 (UTC)[reply]

• I just got notified there was a failed attempt to log into my account. — Maile (talk) 23:25, 3 May 2018 (UTC)[reply]
• I'm all buy quiescent these days in terms of editing and I got an alert as well. Obviously someone working through a list, though whether it's admins or something else... Tabercil (talk) 23:36, 3 May 2018 (UTC)[reply]
• Again, everyone, there were over 70,000 attempted logins per hour for several hours. Basically, they tried to reset the password of everyone. Beeblebrox (talk) 00:09, 4 May 2018 (UTC)[reply]
• This also came up at the help desk (where I mentioned that an attempt had been made on my account too), although that discussion has apparently been closed to try to centralize discussion here. The attacks are on far more than just World War II editors. I don't know where Beeblebrox's 70,000 figure is coming from, but I wouldn't doubt it. Master of Time (talk) 00:18, 4 May 2018 (UTC)[reply]

The number comes from the WMF. I have been told they are releasing some sort of statement about this soon. [22] Beeblebrox (talk) 00:22, 4 May 2018 (UTC)[reply]

Just noting here that the Wikimedia Foundation has sent a statement out to the wikimedia-l mailing list: [23]. Mz7 (talk) 00:30, 4 May 2018 (UTC) [reply]

My advice, both to non-admins who can't use two-factor authentication, and to admins, who can use it, is simply to check your User Contributions regularly and make sure that they are all your own. If so, your account has not been compromised, and if your password is strong, it is not likely to be compromised. Robert McClenon (talk) 01:21, 4 May 2018 (UTC)[reply]

This really seems more like a really elaborate troll than a genuine attempt at compromising tens of thousands of accounts. Just look at how much discussion, verging on panic, it has generated. I’m sure whoever made the bot tht did this is very pleased with themselves right now. Beeblebrox (talk) 01:34, 4 May 2018 (UTC)[reply]

Should this all be rev-delled under DENY? L3X1 ◊distænt write◊ 02:04, 4 May 2018 (UTC)[reply]

(edit conflict)Having a Wikipedia:Committed identity isn't a bad idea if you might ever have to recover your account. Additionally - I believe editors whom are admins on any wikimedia wiki can enable 2FA. SQL^{Query me!} 01:34, 4 May 2018 (UTC)[reply]

No, the attempt is likely a serious attempt at gaining credentials. If a hacker logs into User:Example's account, and User:Example reuses their username somewhere else (example@hotmail.com) with the same password, they can be royally screwed. The usurpation of Wikipedia identify is most likely not what they are after and the leaset of your worries if that happens. E.g. if it's a dummy email, no really consequence comes of it. But if you use that email to conduct every day business, your banking, have sensitive information, etc... well the people involved would now have access to that, and use that new information to further acquire other information and credentials. Headbomb {t · c · p · b} 04:09, 4 May 2018 (UTC)[reply]

SQL is correct, an editor who is an admin on any wiki can enable/disable 2FA on their account. I've been experiencing attempts to access my account for over a week now and I have enabled 2FA through being an admin at test wiki. -- Dane ^talk 05:31, 4 May 2018 (UTC)[reply]

A strong password is the solution. If you are mostly editing from one place (say home) just write on a piece of paper a random combination of characters, 25 characters long (make sure you are not able to memorize it - otherwise make it longer) which contains small and large case letters, numbers and special characters - and possibly even letters of other alphabets if you can reproduce them with your keyboard. This will be your Wikimedia password. Have it written on the paper in a secure place (no chance to lose) and never use it elsewhere, on any other websites.--Ymblanter (talk) 05:47, 4 May 2018 (UTC)[reply]

"Mr. Owl—how many flops does it take to get to the Tootsie-Roll™ center of a Tootsie Pop™?" Factchecker_atyourservice 14:46, 4 May 2018 (UTC)[reply]

I strongly suspect that whoever is doing this is using a list of passwords leaked from other sites, rather than trying to brute force their way into each account. I doubt they're even trying variations on the password that's on that list. That's why most of us are only getting one failed login attempt and that's it. While it's good to have a strong password anyway, if what I think they're doing is what they're doing, changing the password is the kicker. Ian.thomson (talk) 14:55, 4 May 2018 (UTC)[reply]

It looks indeed like yesterday they did not really attempt to break down any accounts, just let know that they exist to the largest possible amount of active user. However, this is not an isolated incident. We had recently two admin accounts broken, apparently because they re-used the passwords from other sites which were in the yahoo leak, or some other massive leak. I mentioned above that I regularly get attempts to break in to my account, sometimes up to several hundreds per day. It is obviously not possible to break a strong password which is not used on any other sites, however, it should be possible to break a weak password or to steal the existing password from elsewhere. 25 characters may be an overkill, but gives pretty much the guarantee - assuming they do not break in physically to one's house and there is no fire.--Ymblanter (talk) 15:08, 4 May 2018 (UTC)[reply]

Don't know if anyone mentioned yesterday's twitter breach, but if you used the same password there as here, you should change both quickly.--Dlohcierekim (talk) 15:24, 4 May 2018 (UTC)[reply]

My user name and password are unique to this site. --Dlohcierekim (talk) 15:27, 4 May 2018 (UTC)[reply]

Here's some handy advice. Lugnuts ^{Fire Walk with Me} 17:14, 4 May 2018 (UTC)[reply]

Since everyone is giving advice I may as well chime in. The main reason people don't use strong passwords unique to each account is that it's practically impossible to remember all those passwords. But you can use a password manager to keep track of them and to at least partially automate the process of entering passwords. I use something called KeePass but there are lots of alternatives -- see our List of password managers. Shock Brigade Harvester Boris (talk) 03:18, 5 May 2018 (UTC)[reply]

It happened again, two more attempts. If you can find out who, please ban him. Do I have any reason to be nervous, if my password is safe? Alex of Canada (talk) 17:33, 4 May 2018 (UTC)[reply]

In a word, no. Primefac (talk) 17:38, 4 May 2018 (UTC)[reply]

User:Alex of Canada - I agree with User:Primefac. If your password was and is strong and it hasn't been compromised, you are all right. Just check your User Contributions from time to time. I will comment that the hacker or bot may be hoping to get people to panic and to change their strong passwords to new weaker passwords, but that is only my guess. Robert McClenon (talk) 13:21, 5 May 2018 (UTC)[reply]

I will also comment that password regimes that require frequent changes of passwords, and that prohibit the use of a previously used password, are well-meaning but actually make things worse, because they increase the likelihood that the user will need to write down the password. This comment applies both to Wikipedia and to employer or government systems. Robert McClenon (talk) 13:21, 5 May 2018 (UTC)[reply]

• 1. MeToo, earlier today. --BrownHairedGirl (talk) • (contribs) 20:03, 4 May 2018 (UTC)[reply]

Yes, I got a failed-login warning a couple of days ago, but thought nothing of it at the time: I'm surprised there aren't more brute-force attacks. Perhaps this is where some sort of anti-bot measures might help? -- The Anome (talk) 09:22, 6 May 2018 (UTC)[reply]

See Wikipedia:Administrators' noticeboard#PSA: Admins might be better off with a long passphrase rather than two-factor authentication. --Guy Macon (talk) 20:06, 4 May 2018 (UTC)[reply]

A wise Owl indeed.--Dlohcierekim (talk) 19:16, 5 May 2018 (UTC)[reply]

looks like it's falling off.--Dlohcierekim (talk)

• They're at it again today (I just got an alert that multiple failed attempts had been made to log into my account...). - Tom | Thomas.W ^talk 11:43, 7 May 2018 (UTC)[reply]
• I just got notifications for it today again. Got some before this conversation on AN started on the 3rd and some today. Thanks for jinxing it, Dlohcierekim. :) — Moe Epsilon 13:53, 7 May 2018 (UTC)[reply]
• They took the weekend off?-- Dlohcierekim (talk) 14:41, 7 May 2018 (UTC)[reply]
• Two attempts on mine just now. --Masem (t) 14:45, 7 May 2018 (UTC)[reply]
• I just got a notice that there have been multiple failed attempts to log into my account from a new device. The other day it was just one attempt. This is getting worse and I don't like it. Someone may be trying to steal my bank account or credit card information this way. Something had better be done to stop this or WP will lose editors including me. I feel like deleting my account and all my information right now. It isn't worth taking the risk.Smeat75 (talk) 15:32, 7 May 2018 (UTC)[reply]

  @Smeat75: Which would make your account more susceptible to hijack. Change your password here to something stronger. If it is the same as your password anywhere else, change your elsewhere password at once to something different. Get a committed identity hash. If you have not done so already, enable email. -- Dlohcierekim (talk) 16:37, 7 May 2018 (UTC)[reply]

  How would someone get your bank information through your wikipedia account? Natureium (talk) 16:41, 7 May 2018 (UTC)[reply]

  Password reuse. Banks should be much more secure, but theoretically the attack vector first tries to find a working username/password combination on one site. If they get that, they then use it on a more interesting site (bank, turbotax, whatever). Again, there's no evidence that any of this has been the least bit successful, and this is all just speculation at this point. ~ Amory (u • t • c) 17:32, 7 May 2018 (UTC)[reply]

I'm in for the firs time in almost a week and was surprised to see that someone had made an attempt on my account. It was a few moments before I found this thread, and in light of that I'd like to suggest running a message through the message delivery system to all accounts on Wikipedia advising them of the situation so that our editor base gets caught up on this as soon as possible. Those who have email enabled (like me) should see the email alert in the inbox along with the section header, while those like me coming in late to the party will have the talk page message notice here and will (hopefully) check there first to get caught up. In this way we can get out ahead of this and circle the wagons, such as it were, before editors panic and act before thinking. TomStar81 (Talk) 14:17, 7 May 2018 (UTC)[reply]

• I suggest everyone get a committed identity hash string (read this first, and then get the string here), to be able to get their account back in case someone manages to take over the account (just to clarify things: getting a committed identity here does not require revealing your real life identity to anyone, you're as anonymous after getting the hash string as you were before getting it...). - Tom | Thomas.W ^talk 14:36, 7 May 2018 (UTC)[reply]

  @TomStar81: Great idea. I almost suggested it, but did not know how or where.-- Dlohcierekim (talk) 14:42, 7 May 2018 (UTC)[reply]

  Yes, anyone who has not done so already needs to get a committed identity & a really strong password, and enable email.-- Dlohcierekim (talk) 14:44, 7 May 2018 (UTC)[reply]

  And I strongly suggest laagering.-- Dlohcierekim (talk) 14:47, 7 May 2018 (UTC)[reply]

  I just tweaked my password for the sake of safety. As for the message, i'd propose something like this:

---

• Annnnd, was said login successful?-- Dlohcierekim (talk) 16:50, 7 May 2018 (UTC)[reply]

== Attempted Hacking of Wikipedia Accounts==

On or about May 4th, 2018, the Wikimedia foundation noted a massive cyberattack against the English Wikipedia with the apparent goal of locating users utializing weak passwords in order to compromise the accounts. Steps are currently being taken to track down the origin of the attack, but as a precaution all Wikipedia users with a registered account are being asked to review their accounts and passwords in order to ensure that your account does not end up compromised. Measures editors are advised to take include the following:

Choose a strong password

Ideally, a strong password is a password that uses a combination of symbols, numbers, and capital and lower case letters. Users are required to provided a minimum 8-letter password, but a longer password is viewed as more secure and passwords with letters, symbol, and number combinations are shown to stronger than simple words or phrases. Additionally, users should refrain from picking out simple passwords easily guessed (such as abcd1234 or password).

Obtain a Committed Identity Hashstring

A Committed Identity Hashstring is a security measure that allows users to type words, phrases, and other information which when put through a hash are scrambled, resulting in an unreadable line of random letters and numbers. The only person who would know what the unscrambled letters and numbers translate to would be you, thus ensuring that you could reclaim you account if it is compromised. More information about this measure can be found here, and users wishing to implement this security option may do so here.

Enable Two-Factor Authentication

Two factor authentication was added as an additional security measures for certain high privileged Wikipedia accounts - most notable, those who possess admin rights. Enabling this will make it that much harder for unauthorized persons to gain access to your Wikipedia account.

Enable E-mail notifications

Users who possess registered accounts on Wikipedia have the option of enabling email notifications for talk page messages, which may be useful for helping you to spot and stop attempts on your account as well as for keeping up to date with developments as this incident progresses.

For more information on the series of events, and to consolidate the discussions on this matter, see Wikipedia:Administrators'_noticeboard#Please_help-_who_tried_to_break_into_my_account? and its subsequent threads.

---

Of course, I'm open to adding or subtracting information as needed; just as long as we get the word out it should help our situation. TomStar81 (Talk) 15:19, 7 May 2018 (UTC)[reply]

• Strongly Object @TomStar81: sending a mass message to "all accounts" is a huge waste of job resources, especially as most accounts are dormant. If we want this to get to a large number of editors, using the logged-in user sitenotice would be preferable IMHO. — xaosflux ^Talk 15:26, 7 May 2018 (UTC)[reply]
  • @Xaosflux: Mass message is the only messaging system I was familiar with; if there is another or better system, then by all means use that instead. The important thing is that we get the word out. Keep in mind too that, as I noted above, I'm coming into this days after the fact - for all I know this could have long since been resolved (though judging from above I don't think that to be the case) which would mean the whole point of the message is now...useless. In any event, handle it how you judge it should be handled. As for me, I've got to be off to work here soon so I'll likely be unavailable for a few hours. I leave my suggestion in the board's capable hands, and trust that the best course of action will present itself and be implemented as consensus wills. TomStar81 (Talk) 15:32, 7 May 2018 (UTC)[reply]
    • For anyone following, I'm referring to MediaWiki:Sitenotice - this would put a banner on the top of the web page for logged in users. It would not send them emails or triggert notification. — xaosflux ^Talk 15:36, 7 May 2018 (UTC)[reply]
      • Oh, ok. I take it back; I am familiar with this sort of messaging, I just didn't know what it was called - at least no properly. That would probably work best, all things considered. TomStar81 (Talk) 15:40, 7 May 2018 (UTC)[reply]

• Likewise oppose this, as well as a sitemessage or watchlist notice. A great many users appear to be targeted (I have thus far received no notifications and am starting to feel left out!) but unless I'm mistaken there has been no evidence of any success on the part of the attacker. A reminder to use strong passwords is always worthwhile, and maybe worth considering via sitemessage/watchlist once this has subsided, but I don't see the utility in alarming a great many people when by all accounts everything is working just fine. ~ Amory (u • t • c) 15:41, 7 May 2018 (UTC)[reply]

• The only accounts that have been compromised in the last couple of years were the ones that re-used compromised passwords with other sites. There is really no need for mass messages or sitenotices here. The same best security practices apply today as they did a year ago - have a strong password, and if you're particularly concerned you can include other measures like 2FA (or committed identity, but honestly I have no idea how that works and can't find any read-able guide to it on here). -- Ajraddatz (talk) 16:03, 7 May 2018 (UTC)[reply]

@Ajraddatz: I too was unsure, but know i have it--> WP:Committed identity.

@TomStar81: as of this morning it had resumed.-- Dlohcierekim (talk) 16:33, 7 May 2018 (UTC)[reply]

In favor of any notification system that would let users know about this so they can take appropriate action.-- Dlohcierekim (talk) 16:43, 7 May 2018 (UTC)[reply]

Thanks - that page puts it very clearly. Seems like a sensible measure indeed, speaking as one of the people who coordinates the return of compromised accounts to their owners. -- Ajraddatz (talk) 16:46, 7 May 2018 (UTC)[reply]

• I would also note that in the discussions that led up to the current password policy, the notion that you must use a combination of upper and lowercase, symbol, and numbers to have a strong password was strongly rejected by the community. Beeblebrox (talk) 17:53, 7 May 2018 (UTC)[reply]

Hi everyone. While the attacker continues to try and login at a very high rate, we are currently blocking his/her login attempts. At this time, there is no need to panic or do anything. We of course always encourage all users to use a strong password. BWolff (WMF) (talk) —Preceding undated comment added 18:10, 7 May 2018 (UTC)[reply]

• Having finally had the chance to start logging back in, I find all this...oi vey. Anyway, relevant to the above, I'll note that "require 2FA" is an absolute non-starter for other reasons: there are those of us who do not have smartphones and/or cell service at our computing locations at all. - The Bushranger _{One ping only} 08:37, 8 May 2018 (UTC)[reply]

  @The Bushranger: FWIW, you can run a TOTP on a computer. While it doesn't prevent an attack the compromises that one computer as well - it will remote attacks. — xaosflux ^Talk 11:51, 8 May 2018 (UTC)[reply]

A discussion about potential block evasion at User_talk:Terry Foote#Authorship_of_photo? was recently brought to my attention. It seems that Terry Foote had two accounts, his original account as User:Terry Foote and then a second account that was indefinitely blocked as User:Googie_man. Terry Foote has continued editing on the former account, contributing productively for a rather long period of time (ten years is my understanding). I let Jehochman know about the situation since he was the original blocking admin, and then pinged Alex Shih to weigh in on the situation. Despite the gravity of block evasion, it seems clear to me that since deception was not the intent in this case, we can just leave the Googie_man account blocked and let Terry Foote continue to contribute productively. Still, I wanted to bring the discussion to the community's attention nonetheless. ceranthor 14:21, 5 May 2018 (UTC)[reply]

• While I agree block evasion is one of the worst offences here, and deserves the present summary block on sight system, I also believe this one stands out. A decade is a long time, Wikipedia has completely transformed within these years.Since there's no clear intent of disruption or any infraction all this while, I suggest this to be resolved with no action, and the user be left to continue editing. –Ammarpad (talk) 18:46, 5 May 2018 (UTC)[reply]
• If the user isn’t causing a problem, let’s leave them be. Jehochman ^Talk 18:58, 5 May 2018 (UTC)[reply]
• I concur with the thoughts above. "Blocks are used to prevent damage or disruption to Wikipedia, not to punish users." (taken from the lede of WP:BLOCK). --joe decker^talk 00:36, 6 May 2018 (UTC)[reply]
• Leave be = net positive. While I don't know how we know this, he has been editing constructively, and without repeating the problems from the other account, for a very long tme. Long past the time when he could have received the standard offer. But what for? He does not need that tainted account, and he is constructive with this one. --Dlohcierekim (talk) 05:49, 6 May 2018 (UTC)[reply]
• Blocking at this juncture would be punitive, not to mention doing so for the sake of blind adherence to process damages WP more than it improves it. IAR and let bygones be bygones. Blackmane (talk) 03:12, 7 May 2018 (UTC)[reply]
• People get blocked to prevent the disruptive things that they do. If a person does disruptive things, is blocked, and then comes back and doesn't do those disruptive things any more (so much so that nobody figured out for ten years that it was the same person) then the block served its purpose, and we got a prolific contributor out of the deal. This is basically a textbook WP:CLEANSTART, so long as we ignore the bit about it being invalid. I endorse clemency. Ivanvector (^Talk/_Edits) 18:23, 7 May 2018 (UTC)[reply]

• Please do this (ref discussion at User talk:Anthony Appleyard#Eminem albums discography):
  1. Delete Eminem discography, but not Talk:Eminem discography or Talk:Eminem discography/Archive 1 or Talk:Eminem discography/Archive 2.
  2. This is the long delete: delete Eminem albums discography. (Warning: it is sitting over 2 old deleted redirect edits (01:10, 1 January 2015 by User:Chasewc91 and 00:57, 17 August 2014 by User:SNUGGUMS .)
  3. This is the long undelete: Undelete all edits of Eminem albums discography except (a) 16:36, 4 May 2018‎ by User:SNUGGUMS and all later edits, and (b) the 2 above-mentioned already-deleted redirect edits.
  4. Move Eminem albums discography to Eminem discography, do not leave a redirect.
  5. Redirect Eminem discography to Eminem#Discography.
  6. Undelete the remaining deleted edits at Eminem albums discography, but not the 2 old redirect edits.
  • Thanks. Anthony Appleyard (talk) 21:47, 5 May 2018 (UTC)[reply]
• Only people why can do this are the stewards. Courcelles (talk) 21:49, 5 May 2018 (UTC)[reply]

• If any stewards see this thread, then please be sure to help with the above ASAP. Snuggums (talk / edits) 00:48, 6 May 2018 (UTC)[reply]
• I have moved both archives (Archive 1 and Archive 2) back. But the rest of the steps above still require a steward. GeoffreyT2000 (talk) 01:11, 6 May 2018 (UTC)[reply]

You'll probably get a faster response if you post directly to steward requests page on meta. -FASTILY 05:12, 6 May 2018 (UTC)[reply]

@Anthony Appleyard: Not a steward here, but I highly doubt you'll be able to get this done because the history at "Eminem albums discography" contains over 9,000edits. The servers will probably have great trouble loading "Special:Undelete" because of the extremely high number of edits. When DerHexer and I tried to do a similar operation at the Madrid article (which then had over 7,600 edits), we had quite extreme difficulty with it, and in my experience the servers have only gotten more finicky about operations like that since then. They were never designed/optimised for this kind of work. Graham87 08:32, 6 May 2018 (UTC)[reply]

Rather disappointing, but if anyone somehow beats the odds and accomplishes this, it would be quite appreciated. Snuggums (talk / edits) 14:59, 6 May 2018 (UTC)[reply]

Could someone delete the oldest 1000, then the next day the next-oldest 1000, etc? Or is it the number of past edits and not the number of deletions that give the servers problems? --Guy Macon (talk) 18:20, 6 May 2018 (UTC)[reply]

• Good question. I never even thought about that. Snuggums (talk / edits) 18:31, 6 May 2018 (UTC)[reply]
• No. Deletion is all-or-nothing; the only way to delete part of an article's history is via a process similar to what Anthony wrote above, and always has to begin with deleting the entire article. (You can revision-delete parts of the history, but that wouldn't be helpful - deletion and revision-deletion have essentially nothing in common other than policy, terminology, and that their end result is to hide some chunk of information from most users.) —Cryptic 18:40, 6 May 2018 (UTC)[reply]

• The deletion is all-or-nothing, but if done in small batches, it shouldn't be impossible to restore a couple hundred revisions at a time. It probably would be better if a stew looked at it, but if not it can be done by an admin with a lot of patience. Primefac (talk) 20:57, 6 May 2018 (UTC)[reply]

Note by a steward: I can delete and undelete pages all-or-nothing with an unlimited number of revisions but I don't think that I can access Special:Undelete when there are more than a couple of thousand edits to select some to be restored. It might be possible from the database site but for that you will need a database admin. Best, —DerHexer (Talk) 22:51, 6 May 2018 (UTC)[reply]

I've restored 6000 revisions at once before, so it can be done, though it was of course very slow. Probably depends on how much existing strain is on the server. That said, with 9,700 edits, I don't want to delete the article and then be unable to recreate it. Best to start a phabricator ticket to handle this if it really needs doing. -- Ajraddatz (talk) 23:26, 6 May 2018 (UTC)[reply]

Hi, please could an admin correct the admin-only template Template:ArbCom Arab-Israeli enforcement?

It needs this amendment (made to the ARBPIA editnotice), removing the words “of the revert”, as they do not appear in WP:ARBPIA3#Motion:_ARBPIA_.22consensus.22_provision_modified.

Also pinging @El C: who added the words originally but seems to be on a wiki-break. Onceinawhile (talk) 06:28, 7 May 2018 (UTC)[reply]

Seems to have been  Done by Onceinawhile. Primefac (talk) 11:36, 7 May 2018 (UTC)[reply]

@Primefac: I did one but I could not do the other. That's why I posted here. Could you help me with the other? Onceinawhile (talk) 15:27, 7 May 2018 (UTC)[reply]

Whoops. Coffee hasn't kicked in yet.  Done. Primefac (talk) 15:29, 7 May 2018 (UTC)[reply]

This is actually the latest wording of the restriction per a January 2018 motion and thus I updated the template to use that wording. Galobtter (pingó mió) 16:36, 7 May 2018 (UTC)[reply]

Thanks. Primefac (talk) 17:08, 7 May 2018 (UTC)[reply]

This might not be the best place to post this but my usual practice on these things is just pinging one particular admin who's inactive right now, so here we go. I've started a discussion at Talk:Doug Ford Jr. regarding photos that have been added from a Flickr account with CC BY-SA 2.0 license, but which I believe may be impersonating the subject in which case I think this license is invalid. If you're someone who likes to wade into weird copyright stuff (not necessarily admins!) your input would be appreciated. Ivanvector (^Talk/_Edits) 21:15, 7 May 2018 (UTC)[reply]

If you're concerned about Flickr-washing of Commons files, then the correct procedure is to start a DR for said affected files on Commons. -FASTILY 01:23, 8 May 2018 (UTC)[reply]

Thank you for that guideline link, I did not know about that (and I'm not very familiar with the inner workings of Commons in general). I'll consider what to do next. Ivanvector (^Talk/_Edits) 12:26, 8 May 2018 (UTC)[reply]