Jump to content

About [[Phabricator:phabricator-people-148aaf2e06c62283/fr]]: extremely unsecure suggestion!

Edited by author.
Last edit: 12:52, 14 July 2022

This hint is the worst ever suggestion by Phabricator I have ever seen or any Wikimedia project:

"After you set a new password, consider writing it down on a sticky note and attaching it to your monitor so you don't forget again! Choosing a very short, easy-to-remember password like "cat" or "1234" might also help."

If it is followed, it completely destroys the usefulness of paswords, allowing anyone to easily take controls of accounts; bots would easily target these accounts as well. Various projects have strong requirements about the choice of good password (notably for administrator accounts, or accounts created for privacy and whose owners could become source of legal threats when editing sensible articles like those about war in Ukraine, or LGBTQI+ topics, or accounts used for development with the review of edits, or approval and integration of changes in code or policies). As well noting passwords on PostIts is not secure at all.

This is also a very bad suggestion for any other web site: users are instructed everywhere to NEVER use those "easy" tricks that break all best recommendations made by many authorities and project managers (and even by Wikimedia itself).

Given the now very HUGE risk of third party attacks now on the web (where personal account details are stolen by tens of millions, even on very popular sites that were supposed to be secured, including massive attacks against popular wikis), we need stronger paswords stored in safe places, and that are also unique for each site (so that users of the wiki will also NOT reuse their passwords for their other critical accounts such as their bank, merchant sites, gaming sites, or other professional websites, or government and social security websites).

In all cases, that statement quoted above should be discarded completely. It is much safer to forget a password that you can change again by asking to the website to submit a request to generate a temporary password which which you can reconnect and change immediately on first logon.

Instead, we should instruct users to consider using password managers (that can help generating strong passwords, and that can save them in a secured store). Today, password managers are integrated in most major web browsers, and allow synchronizing them across multiple devices, or can be integrated as plugins for most browsers or as acessibility companion apps for mobile devices.

Good password managers can also give hints when some known sites have been hacked or when user passwords that were harvested on users's devices or stolen on legitimate sites but found on the dark web were they are republished or resold.


See also T313023 (I did not find a more precise subproject/board for it).

Verdy p (talk)03:45, 13 July 2022

Nothing we can handle on translatewiki.net. Belongs into the Bugtracker of Phabricator. But: "Effective June 1, 2021: Phabricator is no longer actively maintained and no longer accepts bug reports." per https://secure.phabricator.com/book/phabcontrib/article/bug_reports/

Raymond06:35, 13 July 2022

Phabricator is maintained by Wikimedia itself in its own branch since extremely long. And this is is where these messages to translate on TWN are coming from (not from the initial branch that was maintained by a wellknown large company, but even before it landed its translation here in TWN!).

But what they mean is that various extensions to Phabricator are not all all used by Wikimedia and so can't be maintained. Anyway, Phabricator is still essential to all Wikimedia operations and has not any substitute to track bugs correctly, even if Wikimedia also uses Git an Gerrit, Phabricator is the only tool that federates everything). Phabricator is also used by other non-Wikimedia projects (including some whose translations are made here in TWN) running their own instances (possibly not all its extensions).

Have you seen Wikimedia seeking for another project management tool and testing it (there are some open source candidates, but they are proprietary in most of their needed extensions)? I have not, so it's very unlikely that it will be replaced soon.

Also I posted the mesage here, because Wikimedia (or you at TWN) has still not modified the Phabricator translation project to give a suitable place to send reports. This was discussed multiple times and no solution deployed for now. Each time I have to lookup into the Wikimedia Phabricator website to find some relevant place and forward a detailed link to this support page for details, and then post another link here to the place in Phabricator where the bug was reported. I did it several times even recently in June and early July. Wikimedia then responded here and not in WM Phabricator!

How do you want me to work differently and track issues correctly ? Using Twitter is not a solution, and there are many active daskboard in Phabricators with lot of things to do, and they are STILL active (even if things have slowed down). Why was it not announced before the "effective" date of June 1, 2021? Why don't they give any link to any alternate site or bug tracker? If this was true this would mean that Mediawiki itself would no longer be supported, and almost all translations made here would no longer have any support and TWN itself would die!

In fact I absolutely do NOT see this closure notice in the main effective Phabricator site (https://phabricator.wikimedia.org/), which is extremely active! Your link going to https://secure.phabricator.com/ instead is incorrect (this is an unrelated legacy instance that existed many years ago before Wikimedia took control of the project abandonned by a wellknown large company). It just means that Wikimedia will no longer renew that legacy domain name and will use Phabricator ONLY in its own supported subdomain using its own farm of servers, and that active synchronization between the two instances is terminated. All project dashboards and trackers should have been transfered (but there's still some work to transfer some old dashboards and some trackers are still active on the legacy domain, but with very slow activity).

May be I'll contact Akklaper @WM to change the notification currently displayed on the legacy domain, so that users are correctly informed as a reminder where to go (including you, because you probably used a search engine to find relevant bug reports and did not realize that the old bug reports you found were still pointing to the old proprietary instance and that they were not archived, transfered to the WM instance and adminsitratively edited to n longer reference the old domain; noly new bug reports cannot be submitted on the legacy instance, but it has still not been locked down in readonly mode to archive and transfer all its content, as there is still some response activity on existing bugs submitted prior to June 2021 and still not closed there). And anyway, TWN must find a way to have all TWN supported translation project with a relevant bug report link. For now the message given above jsut links us to this TWN support. And we still needto find ourself a relevant dashboard/tracker on the effectively supported Phabricator instance. This means there are work to do in TWN too to cleanup the unstable situation, possibly with development in TWN!

And as far as I see the "Phabricator People" board/tracker was changed in 2016 to point to https://phabricator.wikimedia.org/ (see https://phabricator.wikimedia.org/rMWVA456749069b2e5b138bb7ca89fad1225d2929ace0), i.e. NOT on the legacy Phabricator domain where it has NEVER lived (before 2016 it was on https://bugtracker.wikimedia.org/, which is dead since long; in 2014, old bugs related to the "Phabricator People" extension for Phabricator made by Wikimedia were still forwarded to the legacy "phabricator.com" domain before Wikimedia took control of Phabricator development and support, because the current "phabricator.wikimedia.org" instance was still not installed and running and the old https://bugtracker.wikimedia.org/ was still active). This also means that the "Phabricator People" board/tracker has always been managed by Wikimedia itself.

Verdy p (talk)08:02, 13 July 2022
 

Like many other Phabricator messages, it's just a joke.

Amir E. Aharoni (talk)11:04, 14 July 2022

Such messages in Phabricator have no place. Seriously, I still ask them to drop that hint. But unfortunately I do not find which subproject manages this message in the actual Wikipedia Phabricator instance (not the historical one incorerctly suggested by Raymond which incurrectly argued that Phabricator was no longer supported, jsut because he looked at the wrong historical place for bugs that were posted in 2014 or 2015). Even if these joke came from the historic proprietary project from Which Phabricator came before being transfered to Wikimedia and managed directly, this means there's still cleanup to do. How could a serious company could give such very bad hint?

There's still lot of cleanup and review to do in Phabricator, since years, no one seriously looked at it. But its a very large project and progresion is slow and difficult to look for.

And all other non-Wikiemdia instances of Phabricator are now based on the Wikimedia branch, and won't tolerate these "jokes" that seriously damage the image of this project, compared to other competitive proprietary (and costly) project manager solutions or ERP (Smartsheet, Monday.com, Wrike, Hubspot, Freshbook, Atlassian based on JIRA, Notion.io, Wizbii, Meistertask, Basecamp, Teamwork Projects, Proofhub, Zoho, Nifty, Trello, Asana, Workfront, Hubstaff, LiquidPlanner, Clickup, TeamGantt, Backlog.com, Celoxis, Plutio, ProjectManager.com, Microsoft Projects, Microsoft Teams, Gouti, Redmine, Scoro, Workzone, FileStage, ProProfs, nTasks, Chanty, RedBooth, 10000FT Plans, ProWorkflow, MavenLink, Insightly, Clarizen, Comindware, Easy Project, CrocAgile, Producteev, TeamDeck, Freedcamp, Hive, Freshdesk, Flock, CoSchedule, MoneyPenny.me, Podio, Project Insight, EventCollab, Advantage, Nutcache, Paymo, Cage, Avaza, Dropbox Paper, Evernote, Todoist, TimeCamp, Confluence, Functionfox, Workbook... and many others, most of them having integration/plugins for AWS, Azure, and other large and wellknown cloud providers but still not Phabricator, even if they have some plugins for Mediawiki or other wikis and CMS!).

Verdy p (talk)12:15, 14 July 2022