Wikipedia:Village pump (proposals)/suspend sysop rights of inactive admins
- The following discussion is closed. Please do not modify it. Subsequent comments should be made in a new section. A summary of the conclusions reached follows.
- I have closed this RFC as successful. As such, I have added this paragraph to WP:ADMIN. Wording tweaks can be performed as necessary, but the underlying principle has been soundly approved. NW (Talk) 03:52, 2 July 2011 (UTC)
The issue of Inactive Admins has reared it ugly head again after one admin account was hijacked by White supremacist editors. Arbcom made an emergency De-sysop of Spencer195 (talk · contribs · blocks · protections · deletions · page moves · rights · RfA) whose last edit was in 2005 to prevent possible damage to the community. Given Spencer195 off the Wikipedia for six years before being compromised there seems no assurance that dormant account are as safe as assumed.
Its been three years since the last major proposal on this was made. In that time Wikipedia prominence has grown and I think the Language on that proposal is right on with what needs to happen now.
- Proposed language to be Added at Wikipedia:Administrators#Review and removal of adminship
- Admin accounts which have been completely inactive for at least one calendar year (with no edits or administrative actions in that time) will be automatically desysopped. This is not to be considered binding, or a reflection on the user's use of, or rights to, the admin tools; if an inactive admin returns to Wikipedia, they may be resysopped by a bureaucrat without further discussion, providing they left Wikipedia in good standing and not in controversial circumstances, and that their identity is not in dispute. The admin will be contacted one month prior to the expiry of the one-year timeframe on their user talk page, and again a few days before the limit. If the account has a valid e-mail address, the user will also be contacted via that medium. The summary in the user rights log will make it clear that the desysopping is purely administrative."
This proposal allows a dignified desysopping and the ability to Re-Sysop if they choose to return to Wikipedia. The Resident Anthropologist (talk)•(contribs) 22:33, 31 May 2011 (UTC)
Endorsement/Opposition
edit- On the last line of the proposed clause, rather than "purely administrative" (which will introduce another potential ambiguity), perhaps "purely while account is inactive"? Ncmvocalist (talk) 13:15, 2 June 2011 (UTC)
- I support this, but y'know... "good luck" Choyoołʼįįhí:Seb az86556 > haneʼ 22:43, 31 May 2011 (UTC)
- I certainly wouldn't object if I disappeared for a year and came back to find that the tools had been removed - in fact, I'd expect it. I'd go further and say that an admin who comes back after over one year's absence needs to agree to read up on all the policy changes before the bureaucrat hands the mop back. Elen of the Roads (talk) 22:48, 31 May 2011 (UTC)
- I Support this though I might like to push it to two years of inactivity but never the less i support the principles behind this and would not object to a one year time frame. Seddon talk|WikimediaUK 22:50, 31 May 2011 (UTC)
- Support based on the security concerns of having high-privilage accounts which aren't being used. A year seems about right. -- Eraserhead1 <talk> 22:52, 31 May 2011 (UTC)
Support very reasonable proposal Murray Langton (talk) 09:29, 1 June 2011 (UTC)
- We've had this discussion many a time before. Could you please find and link some of the big discussions?
What is to stop an account hijacker posting to WP:BN asking for the tools back? NW (Talk) 22:54, 31 May 2011 (UTC)
- A returning account draws attention to itself by requesting publicly at WP:BN. --SmokeyJoe (talk) 23:43, 31 May 2011 (UTC)
- Wikipedia:Perennial proposals#Demote inactive admins --Tothwolf (talk) 23:03, 31 May 2011 (UTC)
- The last poll shown there failed with 45S, 40 Op, 11N in April 2008. Johnbod (talk) 02:49, 1 June 2011 (UTC)
- I Support this. It make sense. But, there would have to be no strings attached; readminship would have to be automatic upon request, and any outstanding issues would have to then go through normal processes. Maybe 18-24 months is a better timeframe. Ocaasi c 23:05, 31 May 2011 (UTC)
- Oppose per Henny Penny. Account compromises are going to occasionally happen no matter which permission bits an account holds. Holding the admin bit isn't supposed to be a big deal and anything done with the admin bit can be undone, so there is really no emergency here. --Tothwolf (talk) 23:15, 31 May 2011 (UTC)
- Before we jump straight into judgement-vote mode, could we have a discussion about this? I understand similar systems are used on sister (language) projects, anyone know the details? Skomorokh 23:12, 31 May 2011 (UTC)
- That would be helpful I feel. Sorry if I set folks off on the wrong track above - I was just intending to expound how I would react if it were me. Elen of the Roads (talk) 23:18, 31 May 2011 (UTC)
Question: what guarantees are there that the putative resysopping procedure would not be a point of security vulnerability, by having imposters come along and try to claim the account ("oh and the old email address is history, pls help")? Rd232 talk 23:20, 31 May 2011 (UTC)
- I would say a Crat's judgement. The Crat's I know would be suspicious of such a request and probably discus it with other crats before doing it. Personally its better than simply having it to begin with. The Resident Anthropologist (talk)•(contribs) 23:23, 31 May 2011 (UTC)
- I would think any admin coming back after 6 years of inactivity and asking for rights reinstated right away would be suspicious anyway. And at least at that point, they are being noticed. As it is, nobody is watching their (lack of) activity. ▫ JohnnyMrNinja 23:31, 31 May 2011 (UTC)
- This would be better if another little group, of crat's trusted users because crats already have lots to do. But still, I support. Also, what happens if an account like his gets highjacked or hacked into before 1 year? ArbCom cannot come fast enough. ~~EBE123~~ talkContribs 20:35, 1 June 2011 (UTC)
- It might be better to rename this proposal "Suspend sysop rights after 1 Year of inactivity" to make it clear this is a security/housekeeping measure that's not punitive. I wouldn't object to requiring, in the absence of a stronger method to verify identity, a month of normal editing prior to restoration on the grounds that an account hijacker is unlikely to bother. I agree there is no emergency, but it seems like a cheap preventative measure. While it's true that rogue admin actions can be reversed, the damage to Wikipedia's reputation is much harder to undue. --agr (talk) 23:26, 31 May 2011 (UTC)
- Support old admins who left, went inactive, or retired in good standing of being entitled to the expectation of return of the bit on request at WP:BN with at least a brief discussion. --SmokeyJoe (talk) 23:43, 31 May 2011 (UTC)
- Support It's a well thought out proposal and I can't think of any reason not to do it. True, an active admin is no less likely to be targeted for hijacking than an inactive admin, but let's limit the pool of targets anyways. Sven Manguard Wha? 00:35, 1 June 2011 (UTC)
- One year seems kind of brief. A difficult year at work, a year abroad for school, a baby in the house, a deployment for our active military members—it's not hard to imagine a temporary circumstance that could result in a year's inactivity, especially for admins who are primarily active on other WMF projects. If we're going to do this (something I don't feel strongly about, but tend to think unnecessary), then I think the timer ought to be set rather longer than 12 months. Also, I think that the 'make sure they (say they) read all the policies' requirements are rather patronizing. We select admins because we trust their judgment, not because they can quote the (constantly changing) policies. In fact, I'm not sure that I've ever encountered a single editor who has actually read all of the policies before.
BTW, in the category of 'how to make a decision', it might be appropriate to post notes on every potentially affected account's user talk page. Some of them might want to have an opportunity to comment, and the e-mail-based surveys WMF has done suggest that people who look "inactive" to us don't think of themselves as being inactive. WhatamIdoing (talk) 00:42, 1 June 2011 (UTC)
- The reasoning doesn't stand up if they are active on other WM projects, especially if they have SUL. I don't think a WP admin who is busy at Commons should be considered inactive in this context. ▫ JohnnyMrNinja 00:49, 1 June 2011 (UTC)
- The most common measurement of inactivity uses Special:Contributions, and therefore sees nothing more than whether the person made any edits to undeleted pages specifically on the English Wikipedia within the specified time. IMO such a measurement is inadequate for this purpose, but it's the most likely to be used. WhatamIdoing (talk) 01:34, 1 June 2011 (UTC)
- In that case all they have to is to make a couple of edits somewhere when they get the warning. Is that so much to ask? Johnbod (talk) 02:45, 1 June 2011 (UTC)
- Actually, policy states in pretty clear language that Wikipedia is not compulsory, so yes, I think it is a little unrealistic. --Tothwolf (talk) 04:26, 1 June 2011 (UTC)
- Hardly "unrealistic". If you think it is "unreasonable" I'd have to disagree strongly. Johnbod (talk) 11:48, 1 June 2011 (UTC)
- Actually, policy states in pretty clear language that Wikipedia is not compulsory, so yes, I think it is a little unrealistic. --Tothwolf (talk) 04:26, 1 June 2011 (UTC)
- Support the proposal, it's common sense. Not sure if this is the case, but inactive admin accounts may give us the impression that we have more admins than we actually do. (I am not an admin) --Surturz (talk) 01:49, 1 June 2011 (UTC)
- Oppose Per "security concerns" an invalid reason. Consider: how often are accounts compromised? Then: How many of those accounts are administrators? Then: How much damage could a rogue admin account cause before being shut down? Then: How many different ways can rogue admin accounts be quickly stopped? Versus: How much does leaving permissions on inactive accounts hurt? Seriously—when was the last time an old admin account was hacked? I recall Zoe/RickK, and Spencer195. It's not often at all. An active admin account can be "hacked" just as easily. The problem is not with leaving permissions on these accounts. It is with users picking weak passwords. You can't change that except at the individual user level. /ƒETCHCOMMS/ 02:20, 1 June 2011 (UTC)
- So, because it's "only" happened twice so far, we should continue to memorialize the accounts of long-departed – and quite possibly deceased – editors by keeping all of their advanced rights on their account in perpetuity? On the off-chance they rise from the dead and decide to resume editing, is it really an onerous requirement that they stop by the bureaucrats' desk on the way back in and say "hey, before I start blocking people and deleting pages, has anything changed since 2004 that I should be aware of?" The idea that these accounts hold no interest whatsoever for people with malicious intent (because it's "only" happened twice so far that we know of) is naive, frankly. 28bytes (talk) 03:39, 1 June 2011 (UTC)
- The problem is partly with inactive accounts, because the best person to detect hijacking is the person whose account it is. Removing the bit from such accounts has a variety of small benefits, including reduced security risk and better admin stats, and less risk of admins returning and not being up to speed (the act of having to ask for the bit back underlines that they have a need for seeing what changes they might have missed). If the benefit is small and the cost is very small, it's worth doing. Rd232 talk 16:45, 1 June 2011 (UTC)
- Support - A lot can happen with the rules in WP in a year and if someone hasn't edited in a year then they might be missing out on major changes in policy. If they even come back at all which after a year is against the odds. --Kumioko (talk) 02:41, 1 June 2011 (UTC)
- Shouldn't we trust them to read up on policy before taking controversial actions, and should we fault someone if they make an honest mistake? /ƒETCHCOMMS/ 03:06, 1 June 2011 (UTC)
- I don't have a really good answer for that, but you might want to read this interesting thread. In particular, an IP noted that "Has anyone else noticed a rash of returning old-school admins lately who have have the policies and guidelines change without them realizing it...?" :| TelCoNaSpVe :| 06:29, 21 June 2011 (UTC)
- Shouldn't we trust them to read up on policy before taking controversial actions, and should we fault someone if they make an honest mistake? /ƒETCHCOMMS/ 03:06, 1 June 2011 (UTC)
- Support We'll have to do this some time, or our admin list will slowly become a phantom army. Johnbod (talk) 02:45, 1 June 2011 (UTC)
- And why is that a bad thing? Ajraddatz (Talk) 02:47, 1 June 2011 (UTC)
- Er, because! Does that really need answering? If we have a list of admins, it's rather more useful if they actually are admins rather than ex-admins. Even if Rip van Admin does decide to return eventually, things change round here, & after a few years they may be seriously out of touch. If they can't be bothered to do a couple of edits when they get the warning, they should be de-activated. It isn't much about security as far as I'm concerned. Johnbod (talk) 02:56, 1 June 2011 (UTC)
- Fetchcomms stole the words from my mouth. This change isn't needed - active admins are more likely to be compromised, and the problem is people using bad passwords, not keeping rights when they go inactive. Plus, while it happens once in a blue moon, this shouldn't be so much of a concern that we need to take this pointless action to "prevent" it. Ajraddatz (Talk) 02:47, 1 June 2011 (UTC)
- It would be useful to know how many 1yr, 2yr, 3yr etc inactive admins there actually are. Ah yes, here at Wikipedia:List of administrators/Inactive. We already have more inactive than active admins (on the different "30 or more edits in the last 2 months" criterion), and there are 2 who have not edited at all since 2002. Opposers might like to produce arguments for keeping them live. There are 75 who have not edited since 2007 or earlier, and 246 who last edited before June 1 2010. Johnbod (talk) 03:02, 1 June 2011 (UTC)
- How about "why remove"? You are trying to fix a system which isn't broken. Ajraddatz (Talk) 03:16, 1 June 2011 (UTC)
- What "system" applies to someone who hasn't edited in over 9 years, a time when WP was utterly different in so many ways? I believe the Pakistani phone directories only used to add new entries, never removing the old ones. That didn't work either. Most non-historical databases need housekeeping to remain useful, passports need renewing, and so on. Do you really want to keep people on the list "to infinity and beyond"? Johnbod (talk) 03:27, 1 June 2011 (UTC)
- Support. In the real world, when you leave your job or a volunteer position, you turn in your keys to the building. It's absolutely bizarre that accounts that have not even logged in since 2004 (!) or earlier still maintain advanced rights. 28bytes (talk) 03:25, 1 June 2011 (UTC)
- Agree absolutely, but to be picky, logging on, and edits on deleted articles, are not counted in the figures here - just recorded edits on live articles. Johnbod (talk) 03:30, 1 June 2011 (UTC)
- There's two flaws with that analogy: one, Wikipedia is not the real world; and two, inactive does not mean a user has left. They're taking a break—maybe extended, but you don't know when they're returning, right? In the "real world", you would get to keep your keys if you were going on a vacation, and if something happened and you weren't able to return them, the boss isn't going to hunt you down to get them back. /ƒETCHCOMMS/ 03:40, 1 June 2011 (UTC)
- If you mean a metal key on a chain, you're right, they're probably not going to send a bounty hunter after you to retrieve it. If you mean a plastic RFID badge that lets you into the building (which is much closer to the situation here): you'd better believe they'd deactivate that if you went on a short vacation and never came back. Any IT head that had a policy otherwise would justifiably be fired. 28bytes (talk) 03:53, 1 June 2011 (UTC)
- One of the best points so far. -- Eraserhead1 <talk> 07:52, 1 June 2011 (UTC)
- 28bytes, your analogy is closer to a proposal to automatically change peoples' passwords after a year of inactivity. The RFID badge is like a password—the sysop tools are like a pair of scissors. Following your logic, it would make sense to automatically disable logins from user names that haven't edited/made a logged action in over a year, and then have some sort of system to restore the login when requested. Because a spambot running under a non-admin account is just as destructive as a rogue admin account (which is not very destructive in the end), and given that there are millions more non-admin accounts than admin accounts, it would make sense to think about those, first. /ƒETCHCOMMS/ 13:13, 1 June 2011 (UTC)
- That's a bit of a red herring. Anyone can register an account instantly and start wreaking havoc with a spambot (or indeed, not register an account and wreak havoc with a spambot). Whatever incentive there might be compromise an inactive non-admin account (instead of just registering an account) is minuscule in comparison to compromising an admin account. 28bytes (talk) 14:24, 1 June 2011 (UTC)
- 28bytes, your analogy is closer to a proposal to automatically change peoples' passwords after a year of inactivity. The RFID badge is like a password—the sysop tools are like a pair of scissors. Following your logic, it would make sense to automatically disable logins from user names that haven't edited/made a logged action in over a year, and then have some sort of system to restore the login when requested. Because a spambot running under a non-admin account is just as destructive as a rogue admin account (which is not very destructive in the end), and given that there are millions more non-admin accounts than admin accounts, it would make sense to think about those, first. /ƒETCHCOMMS/ 13:13, 1 June 2011 (UTC)
- One of the best points so far. -- Eraserhead1 <talk> 07:52, 1 June 2011 (UTC)
- If you mean a metal key on a chain, you're right, they're probably not going to send a bounty hunter after you to retrieve it. If you mean a plastic RFID badge that lets you into the building (which is much closer to the situation here): you'd better believe they'd deactivate that if you went on a short vacation and never came back. Any IT head that had a policy otherwise would justifiably be fired. 28bytes (talk) 03:53, 1 June 2011 (UTC)
- There's two flaws with that analogy: one, Wikipedia is not the real world; and two, inactive does not mean a user has left. They're taking a break—maybe extended, but you don't know when they're returning, right? In the "real world", you would get to keep your keys if you were going on a vacation, and if something happened and you weren't able to return them, the boss isn't going to hunt you down to get them back. /ƒETCHCOMMS/ 03:40, 1 June 2011 (UTC)
- Not necessarily. If someone's IP(s) is/are rangeblocked, then they would go for hacking others' accounts. Given that rangeblocks are often applied to stop frequent sockmasters, it's not unlikely that someone will try to take over another account rather than create one from scratch. There's also the "established" bit—anyone who would try to use the Clifford Adams (talk · contribs) account for deceptive purposes would be quickly found out, while someone who chooses a non-admin account would probably not be noticed that much. Being an admin makes the account stick out much more. And again: the amount of damage a compromised admin account could wreak before being stopped is very little. Or even a compromised crat account. If necessary, a dev could simply remove the ability for crats to change userrights until the whole thing was sorted out. So there's almost no chance that someone would succeed in creating an army of rogue admin or steward accounts. /ƒETCHCOMMS/ 18:54, 1 June 2011 (UTC)
- Without getting too far into bean territory, I can think of plenty of ways a malicious person or group could cause a lot of damage with the sysop flag. That the damage could be stopped and the mess cleaned up is rather beside the point... why would we want to make it easier for people do so much damage in the first place? Not everyone who gains access to an admin account is going to be as stupid and obvious about it as our most recent (known) example. 28bytes (talk) 19:08, 1 June 2011 (UTC)
- Agree absolutely, but to be picky, logging on, and edits on deleted articles, are not counted in the figures here - just recorded edits on live articles. Johnbod (talk) 03:30, 1 June 2011 (UTC)
Suspend sysop rights after 1 year of inactivity - arbitrary break 1
edit- I note also this failed proposal from 2004 to de-activate 5 admins who had already been inactive for over a year. The amazing thing is that none of them had over 1,000 edits in total. Yet they are still on the books, except for one who died in 2009 without editing again. Johnbod (talk) 03:46, 1 June 2011 (UTC)
- And out of that list, how many of those accounts have been compromised? I find it interesting that of that short list, two of those editors, Khendon and Sugarfish are not "inactive". --Tothwolf (talk) 04:16, 1 June 2011 (UTC)
- Neither Khendon nor Sugarfish were actually inactive for a full year and would not be affected by the current proposal. I am still looking for any admin who returned after more than a full year. Yoenit (talk) 11:39, 1 June 2011 (UTC)
- Samir (talk · contribs · blocks · protections · deletions · page moves · rights · RfA) has; 29 October 2007 to 3 December 2008 and there's also 30 December 2009 to 24 November 2010. 110.139.190.67 (talk) 12:40, 2 June 2011 (UTC)
- User notified. ▫ JohnnyMrNinja 12:52, 2 June 2011 (UTC)
- Those dates look accurate -- Samir 03:30, 3 June 2011 (UTC)
- User notified. ▫ JohnnyMrNinja 12:52, 2 June 2011 (UTC)
- Samir (talk · contribs · blocks · protections · deletions · page moves · rights · RfA) has; 29 October 2007 to 3 December 2008 and there's also 30 December 2009 to 24 November 2010. 110.139.190.67 (talk) 12:40, 2 June 2011 (UTC)
- (ec) Taking Khendon for example, the first screen of his edits (150 is that?) takes you back over 5 years to January 2006, & from a scan of the edit summaries he has done no admin actions in them. Yet he counts as an active admin. Aren't we kidding ourselves here? As I say above, this isn't about security for me, just realistic figures and normal database housekeeping. Johnbod (talk) 11:44, 1 June 2011 (UTC)
- Neither Khendon nor Sugarfish were actually inactive for a full year and would not be affected by the current proposal. I am still looking for any admin who returned after more than a full year. Yoenit (talk) 11:39, 1 June 2011 (UTC)
- And out of that list, how many of those accounts have been compromised? I find it interesting that of that short list, two of those editors, Khendon and Sugarfish are not "inactive". --Tothwolf (talk) 04:16, 1 June 2011 (UTC)
- Password security About the only "prevention" for the problem of poor passwords would be to enforce the use of strong passwords with something like cracklib which is based on Crack (software) from Alec Muffett. That said, I don't think a strong password requirement would be popular with users because in the larger scheme of things, few people actually use strong passwords.
Other than that, speculation that inactive accounts with the admin bit are going to be compromised more often than accounts without the admin bit is unrealistic. The truth is, non-admin accounts are much more commonly compromised and are more commonly sought after by people wishing to use them as sockpuppets. Accounts with the admin bit are less of a target because they tend to be too high profile for such abuse. --Tothwolf (talk) 04:01, 1 June 2011 (UTC)
- I'd be interested to see how many current admins had a year-long or more stretch of inactivity. Is this something that happens, people come back to active sysoping after a year of disinterest? ▫ JohnnyMrNinja 04:10, 1 June 2011 (UTC)
- Also, is there any way for a bot or some other automated process to notify Bureaucrats of an admin that has not logged in to any WMF project in a year, or will we be forced to go by WP edits? ▫ JohnnyMrNinja 04:50, 1 June 2011 (UTC)
- These are good questions. The "abroad at University" argument doesn't hold much weight to me, when every country in the world has internet access. The "busy at work" argument is reasonable, but for a whole year without a single edit or admin action on any Wikimedia project? This seems a little far fetched. -- Eraserhead1 <talk> 07:40, 1 June 2011 (UTC)
- More like "no life at university" :). Although, I guess if a user was in China or something, editing would be much more difficult. JohnnyMrNinja, I don't think even CU can detect logins. Edits, we can track, but not when someone logs in. /ƒETCHCOMMS/ 13:16, 1 June 2011 (UTC)
- These are good questions. The "abroad at University" argument doesn't hold much weight to me, when every country in the world has internet access. The "busy at work" argument is reasonable, but for a whole year without a single edit or admin action on any Wikimedia project? This seems a little far fetched. -- Eraserhead1 <talk> 07:40, 1 June 2011 (UTC)
- Oppose. This would not reduce the already-small risk of compromised admin accounts or improve admin quality. On the first point, WP:PEREN#Demote inactive admins mentions that developers say an inactive account is less likely to be hacked than an active one (and, as Tothwolf mentions above, non-admin accounts get hacked even more often). On the second point, I'm not convinced that someone who could be trusted with the tools one, two, or even five years ago can't be trusted with them now. Yes, policy and consensus changes. However, two things have not changed: (1) our mission to create a neutral, verifiable free encyclopedia, and (2) the fundamental roles and responsibilities of admins. I'd like someone to point out an instance where an admin came back from a long break and proved themselves no longer worthy of the mop and bucket. A returning admin may have to get used to things like new blocking capabilities and minor changes in usual practice, but these are not such earth-shattering changes that they can no longer be trusted to use the tools properly. szyslak (t) 05:46, 1 June 2011 (UTC)
- What counts in security is the probability multiplied by the damage, the damage for hacking a non-admin account is trivial. -- Eraserhead1 <talk> 07:52, 1 June 2011 (UTC)
- I agree that an admin account in the wrong hands is a very bad thing. However, inactive admin accounts are no less secure than active ones, and appear to be even less likely to be compromised per above. What is needed is better password security per Tothwolf above, not removal of access based on a factor that doesn't even make the accounts less secure. (Even when an admin rampage does happen, the damage is temporary, reversible, and necessarily limited. Come to think of it, someone could do even more damage without an admin/crat account...) szyslak (t) 08:43, 1 June 2011 (UTC)
- How would you propose to increase the password security of inactive accounts? Only thing I can think of is emailing them a randomly generated password, but many of them don't have email enabled and for those that do there is no garantuee the mail account is not inactive as well. Yoenit (talk) 09:41, 1 June 2011 (UTC)
- I agree that an admin account in the wrong hands is a very bad thing. However, inactive admin accounts are no less secure than active ones, and appear to be even less likely to be compromised per above. What is needed is better password security per Tothwolf above, not removal of access based on a factor that doesn't even make the accounts less secure. (Even when an admin rampage does happen, the damage is temporary, reversible, and necessarily limited. Come to think of it, someone could do even more damage without an admin/crat account...) szyslak (t) 08:43, 1 June 2011 (UTC)
- What counts in security is the probability multiplied by the damage, the damage for hacking a non-admin account is trivial. -- Eraserhead1 <talk> 07:52, 1 June 2011 (UTC)
- An account with the admin bit cannot really create any more damage than a a "regular" account. Most anything done with either account can be undone without too much difficulty.
Where something becomes much harder to deal with is when someone has obtained non-admin accounts and uses them as sockpuppets to influence discussions, XfD, etc. Such actions are much more harmful to Wikipedia than the very occasional event of an account with the admin bit being compromised. Such sockpuppetry is yet something else we can link to the editor retention issue. [1] [2] As I mentioned above, "admin accounts" are not really suitable for this type of abuse because actions done by accounts with the admin bit draw more attention. (Those who are truly paranoid should be pushing for the locking of infrequently used accounts which have high edit counts ;P ...and yes, that is sarcasm.) --Tothwolf (talk) 15:29, 1 June 2011 (UTC)
- An account with the admin bit cannot really create any more damage than a a "regular" account. Most anything done with either account can be undone without too much difficulty.
- Support But why wait a whole year? Bring it down to 3-6 months. Lugnuts (talk) 06:30, 1 June 2011 (UTC)
- Anything less than a year is probably too short, life does interfere sometimes. -- Eraserhead1 <talk> 07:52, 1 June 2011 (UTC)
- Question Are there are any cases where an administrator returned who would have been desysoped under the current proposal (so no edits at all for more than a year)? Yoenit (talk) 07:58, 1 June 2011 (UTC)
- Support. All good reasons stated already. In addition I like it cause it can be confusing for people who don't know of any admins by name to find an active one. I see noobs leave messages for admins who haven't been active for a long time cause they don't know any better, then wait frustrated for a response. I would indeed cut down the time to 6 months, or at least add as a matter of policy that if you're inactive that long you may expect a warning to be placed on your user page by a third party, if you don't put one there yourself, that users shouldn't expect a reply or action from you until further notice. Desysopping is preferred though, as the bit is easier to track than user page content, the database would remove you from any admin lists etc. Equazcion (talk) 08:36, 1 Jun 2011 (UTC)
- Support (I know it's not a vote, but I just want to be clear to anyone perusing) - I like 1 year but I think 2 might be less offensive to some (on the off chance they get really distracted), and I'd be more comfortable if there were a way to determine login activity vs WP editing activity. The arguments about active accounts being more vulnerable may well be valid, but those editors will notice, whereas inactive editors won't. Non-admin accounts may get hacked more often, but there are many-times more non-admins, and their passwords are probably easier on-the-whole. Someone specifically targeting an admin account knows something about what they are doing, and they may not make any waves once they have the account, maybe even having the name changed. Maybe they just log in to see admin-only pages and logs? Just because nobody is spreading racist propaganda doesn't mean their accounts weren't compromised. Also, if they have been logging in and not editing, they will notice the talk page message they will get, and hopefully respond. If they don't respond, for whatever reason, then it is highly unlikely they would even notice their privileges are gone, much less care. Another good is that our active admins are highlighted. Can anyone actually envision any admin who passed an RfA, then left for several years, and is upset that need to let someone know they are back before they start deleting and blocking again? They would see the politely-worded notice on their talk page and scream "This is what I get for serving my country!?!?!" and then go on a rampage through their hometown? What is the possible bad that can come from this proposal? I've had email websites deleted for less inactivity. People gone for that long probably would want to ease back into regular editing, let alone settling 3rr disputes, for the day or so it would take a Bureaucrat to reinstate them. ▫ JohnnyMrNinja 09:07, 1 June 2011 (UTC)
- Support Great idea. Will allow us to keep a better eye on the number of admins. --Doc James (talk · contribs · email) 09:36, 1 June 2011 (UTC)
- A year's a long time on Wikipedia and things change. Guidelines are "clarified", which in some cases is an actual improvement. Policies alter. Custom and practice tends to drift. AN/I drama gets more pungent. Someone who hasn't edited for a year won't necessarily be ready to use sysop tools immediately; they'll have an out-of-date image of how we do things. It's reasonable that we ask a crat to satisfy themselves as to the returning user's identity and for a short period of regular editing that demonstrates the user's "up to speed" before access to sysop tools is restored.—S Marshall T/C 11:47, 1 June 2011 (UTC)
- Comment For your information, there are at least four known cases of inactive admin accounts being compromised:
I have no doubt I will find more if I go through the history of Wikipedia:List of administrators/Inactive. None of them did serious damage after being compromised, but this is definitely a vulnerability. Yoenit (talk) 11:55, 1 June 2011 (UTC)
- There have been many others (Wikipedia:Former administrators lists some; see also Wikipedia:Wikipedia Signpost/2007-05-07/Admins desysopped). Many of these were active admin accounts that were compromised, however. And due to weak passwords. The problem is weak passwords. You don't guess a user's password if it's strong. If we look at the percentage of inactive compromised admin accounts out of all total admins ever, we'll all find that it is very small. /ƒETCHCOMMS/ 19:03, 1 June 2011 (UTC)
- Which amounts to saying, "I'm hungry, but this sandwich isn't going to solve my impending bankruptcy problem, so I won't eat it." Rd232 talk 20:44, 1 June 2011 (UTC)
- There have been many others (Wikipedia:Former administrators lists some; see also Wikipedia:Wikipedia Signpost/2007-05-07/Admins desysopped). Many of these were active admin accounts that were compromised, however. And due to weak passwords. The problem is weak passwords. You don't guess a user's password if it's strong. If we look at the percentage of inactive compromised admin accounts out of all total admins ever, we'll all find that it is very small. /ƒETCHCOMMS/ 19:03, 1 June 2011 (UTC)
- Support. I would only consider it normal that I would no longer automatically be a sysop after a year of inactivity. I wouldn't oppose a period of two weeks to a month of regular editing required before getting the rights back either, to decrease the chance of someone coming along and claiming to be me. While this suspension of rights may have few advantages, I believe they still outweigh the very small disadvantages. Fram (talk) 12:16, 1 June 2011 (UTC)
- Oppose—requiring a minimum amount of edits in a given period of time will incentivize a minimum amount of edits in a given period of time. Admins not wishing to lose admin status will return to make a few edits each 6 months, for instance. Of course it could be argued that this is a good thing, as it will sort the dead from the living, generally speaking, with allowances for the merely incapacitated. I would suggest extending the period of inactivity to ten years to be sure we are really desysoping those who are unlikely to ever edit again in the capacity of administrators. Bus stop (talk) 12:42, 1 June 2011 (UTC)
- Support. This has been standard policy at the other two projects I edit at, Wikibooks and Commons. The former uses a year and the latter six months. Both require notification of an inactive admin via email/talk page and allow for 30 days to respond. I see nothing wrong with reducing risk. While both inactive and active admins are targets, active admins will notice if they're locked out of their account or are performing bad actions. Inactive admins can be taken over without their original owner noticing. Additionally, having the list of admins actually reflect people that can assist is helpful to users and allows for use of tools like http://toolserver.org/~vvv/adminstats.php without errors due to too many admins. Adminship is "no big deal" as stated above, so there's really no need for consternation that it could be taken away if not used. Objections to the contrary make me wonder if it really is seen as a badge of honor. – Adrignola talk 13:02, 1 June 2011 (UTC)
- Commons' policy is actually much harsher than this one and not exactly comparable. They only count admin actions, not edits. So it is more of a "if you aren't using the tools you don't need them even if you're editing". Killiondude (talk) 16:27, 1 June 2011 (UTC)
- Support @@@@ — Preceding unsigned comment added by Nev1 (talk • contribs)
- Conditional support. Conditions: i) email the admin in question a warning 1 month before desysopping (say, email at 12 months and desysop at 13, if still no activity) ii) after desysopping, 1 month of reasonable activity levels required after return, before resysopping on request at WP:BN. I'd also suggest that if at resysopping request time total activity levels over the previous 5 years are judged very low by bureaucrat consensus, there is bureaucrat discretion to require a reconfirmation RFA; but my support isn't conditional on that. Rd232 talk 13:12, 1 June 2011 (UTC)
- Comment - introduction of process If this passes, I would support a special one-off process for the 250-odd admins that would now be caught. Say monthly warnings for 2 months, then 2 and 1 weeks before the final deadline. Would it also be easier to do the ongoing process say quarterly rather than continuously as anniversaries come up? Johnbod (talk) 13:35, 1 June 2011 (UTC)
- Support as per Johnbod. But of course this is just talk, nothing will change, it hardly ever does here. Malleus Fatuorum 14:09, 1 June 2011 (UTC)
- Consensus seems very much in favour right now. But the "not broken, don't fix it" crowd hasn't come along in force yet to sink it again. AD 16:48, 1 June 2011 (UTC)
- Support. I'm of the mind that inertia is the only realistic reason for not implementing this change. If this was the current status quo, then changing to the current system would seem hard to defend: it could only reduce security, obfuscate the number of active admins, and I think few people would be arguing that the current system (in this hypothetical world) was unfair on those admins. I think a warning email would be a good idea. However, in order for this to go through, the process needs to be laid out so that the consensus to implement is clear (if it is). Grandiose (me, talk, contribs) 14:52, 1 June 2011 (UTC)
- Strong support, long overdue. Wizardman Operation Big Bear 15:54, 1 June 2011 (UTC)
- Oppose per Tothwolf and Fetchy. Killiondude (talk) 16:27, 1 June 2011 (UTC)
- Support If someone wants to retain admin rights they just have to login and edit every year, not difficult. If someone has just disappeared, this sounds a good and long overdue move. Edgepedia (talk) 16:37, 1 June 2011 (UTC)
- Support I'm actually amazed at how much support this is getting, usually this proposal is hijacked by the "not broken, don't fix it" crowd. Just wait till someone mentions it at RFA talk! AD 16:48, 1 June 2011 (UTC)
- Support, with a smile to what Malleus and AD said. --Tryptofish (talk) 17:00, 1 June 2011 (UTC)
- Support, obviously. There are potential advantages and no disadvantage. I can't see how anyone could seriously oppose this. – iridescent 17:01, 1 June 2011 (UTC)+
- Support Why wait for another PR disaster to justify doing this? Creating an easy reinstatement procedure does no harm - shouldn't even cause hard feelings from the returning admin - and if doing so prevents one PR disaster, it's clearly worth it. Anyways, it just makes sense to keep the list of admins orderly. --JaGatalk 17:01, 1 June 2011 (UTC)
- Support, common sense and long overdue. I'd actually make them go through RfA again rather than having them get their tools back via a crat, but that's a more minor issue.Volunteer Marek (talk) 17:22, 1 June 2011 (UTC)
- Add on the hacking of active vs. inactive admin accounts; the obvious difference is that if an active admin account gets hacked, that person is likely to notice, inform the necessary parties, and the problem can quickly be nipped in the butt. But if an inactive admin account gets hacked it might take a long time before the activity (even if it's disruptive and damaging to the project) is noticed and hence there's much more of a possibility of a major snafu.Volunteer Marek (talk) 17:26, 1 June 2011 (UTC)
- Support. Common sense. bd2412 T 17:52, 1 June 2011 (UTC)
- Support (but for different reasons). Verifying account integrity is a basic function and shouldn't require consensus, just do what needs to be done. But why is there a presumption that administrators are appointed for life or that the proverbial mop is an entitlement that need not be returned to the bucket? Frankly, the presence of a contingent of former Wikipedians who may or may not return with administrative powers, unfamiliar with recent happenings, is kinda creepy. Any administrator who takes leave of the project ought to check back in when they return. I'm not saying they should have to re-up as a nominee, just tell everyone they're back and mean to be active again. - Wikidemon (talk) 10:07, 2 June 2011 (UTC)
- Analysis and suggestion.
- Although disconcerting and very undesirable, hijacked admin accounts can't do much harm that isn't obvious and won't get a block in a reasonable time.
- The problem is to be sure that a long-term inactive account of an established user that resumes activity, is under the same control it was before. That's so whether or not the account was desysopped in between.
- Desysopping in the interim has a "feel-good" factor but doesn't actually achieve much. If reactivated user X asks for a resysop the issue is still "how do we know this is the correct account holder". But if they resumed editing after a long break as an admin the same question would be asked.
- The problem will get worse over time, as long standing users taking breaks or resuming editing after several years.
- The solution is to encourage admins to provide some way they can verify they are the correct owners of the account if needed, even if only to Arbcom or WMF. It must not rely on the email address which can be changed by the hijacker.
- A trivially simple example would be to ask all new admins to email Arbcom with a word, string, or textual sentence, which is harmless in itself and simply kept on the Arbcom records. If the account is hacked, the text will be known to the true account owner but probably not to a hijacker. Another way would be to provide a standard toolserver page for committed identity, making it very easy to use for verification.
- The policy could then be simply, "Users resuming activity as an admin after a break of more than a year, may be asked by any users to verify to Arbcom that they are the correct account holder. Administrators are advised to use one of the following methods in advance, to ensure they can do so if needed: <list>"
- FT2 (Talk | email) 17:52, 1 June 2011 (UTC)
- FT2, that's completely missing the point. The main issue isn't the Cool3-type hijacked or sold accounts; it's admins with knowledge of the policies of 2005, trying to enforce the policies of 2011. – iridescent 18:04, 1 June 2011 (UTC)
- Can't be. Desysopping after a year's absence would not address that problem - if you stopped now and came back in a year nobody would claim you only knew the 2005 way of working (or equivalent). When would an admin be "out of date"? Consistent long term absence or low use for say 3 years or more could be a reason. So could 5+ years since their RFA. But a "one year inactivity = desysop" is not targeting "out of date knowledge". Also the header to this section makes clear it's about compromised accounts. FT2 (Talk | email) 18:11, 1 June 2011 (UTC)
- Have a look at my support comment above: I suggested giving bureaucrats the discretion, at a resysopping request, to require reconfirmation RFA if activity is sufficiently low overly a sufficiently long time period. Plus, re your point 5, see my remark below about email address changes triggering a notification to the old address. Rd232 talk 18:14, 1 June 2011 (UTC)
- I'd like a pint of whatever it is you're having FT2; the section title I see is "Suspend sysop rights after 1 Year of inactivity", nothing to do with compromised accounts. Malleus Fatuorum 18:23, 1 June 2011 (UTC)
- Mine's a pint of spring water, then, Malleus :) Immediately after the section title: "The issue [is]... Inactive Admins... admin account was hijacked... emergency De-sysop [] to prevent possible damage... there seems no assurance that dormant account are as safe as assumed.... three years since the [] last major proposal on this was made..." FT2 (Talk | email) 18:47, 1 June 2011 (UTC)
- "[...] it's admins with knowledge of the policies of 2005, trying to enforce the policies of 2011"... can you point to cases where this has previously been a problem? I'm not a fan of hypothetical scenarios being used to push for "solutions in search of problems". --Tothwolf (talk) 19:55, 1 June 2011 (UTC)
- Off the top of my head, it has recently been an issue at ITN with old admins adding hooks to the main page without consensus and without adhering to ITN guidelines. I'm sure there are much more compelling cases (and I would hope others will provide them) than that out there, but I just thought I'd say that it is an issue. Jenks24 (talk) 06:39, 8 June 2011 (UTC)
- Can't be. Desysopping after a year's absence would not address that problem - if you stopped now and came back in a year nobody would claim you only knew the 2005 way of working (or equivalent). When would an admin be "out of date"? Consistent long term absence or low use for say 3 years or more could be a reason. So could 5+ years since their RFA. But a "one year inactivity = desysop" is not targeting "out of date knowledge". Also the header to this section makes clear it's about compromised accounts. FT2 (Talk | email) 18:11, 1 June 2011 (UTC)
- FT2, that's completely missing the point. The main issue isn't the Cool3-type hijacked or sold accounts; it's admins with knowledge of the policies of 2005, trying to enforce the policies of 2011. – iridescent 18:04, 1 June 2011 (UTC)
Suspend sysop rights after 1 year of inactivity - arbitrary break 2
edit- Support -- I don't see any particular downside to this. I agree that it should be almost-automatic to get the tools back, subject to bureaucrats' discretion. --SarekOfVulcan (talk) 18:25, 1 June 2011 (UTC)
- Oppose. Per Tothwolf. This is also seems to be another solution in search of a problem. Ruslik_Zero 18:35, 1 June 2011 (UTC)
- Question: "Desysopping" has naturally come to assume a pejorative connotation; is there some short euphemism, similar to, but better than, "suspension" or "mop-lifting", that anyone can think of? The administrator's done absolutely nothing wrong, any more than any other editor who takes a wikibreak; he or she hasn't attacked the Project, broken any rules, abused the rights of others or deserted Wikipedia. In fact some break from Wikipedia, even a long one if more important matters intervene, can be a healthy thing for those who get too deeply involved. —— Shakescene (talk) 18:50, 1 June 2011 (UTC)
- Good point about the language. Perhaps rights could be "put on hold"? Or perhaps "expired", which would reflect the time-based element; and then the term for restoring the rights could be "refreshing". Rd232 talk 19:10, 1 June 2011 (UTC)
- Just "restoring" seems fine enough to me. Guoguo12 (Talk) 20:01, 1 June 2011 (UTC)
- Good point about the language. Perhaps rights could be "put on hold"? Or perhaps "expired", which would reflect the time-based element; and then the term for restoring the rights could be "refreshing". Rd232 talk 19:10, 1 June 2011 (UTC)
- Support, especially since "if an inactive admin returns to Wikipedia, they may be resysopped by a bureaucrat without further discussion." It's not quite like what Bus stop said above, that this policy "will incentivize a minimum amount of edits in a given period of time." Guoguo12 (Talk) 20:01, 1 June 2011 (UTC)
- If the worst thing about the proposal is that it creates an incentive for sysops to return to Wikipedia at least once a year I don't think we have much to worry about. ▫ JohnnyMrNinja 20:14, 1 June 2011 (UTC)
- Comment: People might be interested in Jimbo's previously expressed strong opinion on this topic [3] Not intended as Argumentum ad Jimbonem as I'm not sure I agree with him, just thought it was worth pointing out. the wub "?!" 20:08, 1 June 2011 (UTC)
- He was talking about "People who are still actively involved in Wikipedia", not those who have not been for some considerable time. Malleus Fatuorum 20:14, 1 June 2011 (UTC)
- Actually, that particular quote was in response to being asked to give up his admin rights. No surprise he wasn't keen on the idea. 28bytes (talk) 20:30, 1 June 2011 (UTC)
- The full discussion thread can be found here. --Tothwolf (talk) 20:46, 1 June 2011 (UTC)
- I suggest that the crat sends an email to say that. With a link to reactivate the sysop bundle. ~~EBE123~~ talkContribs 20:54, 1 June 2011 (UTC)
- Support, I think it will also be okay to push it to 2 years of inactivity. One question..In the spanish wiki, to be an admin you have to have an email acount, in here you don't need to?? (I said it because it said "It will also be contacted through mail if he has a valid one".--Lcsrns (Talk) 21:06, 1 June 2011 (UTC)
- Support per my long-standing view that admin accounts may and have been compromised and gamed, as seen in the very recent User:Spencer195 fiasco. Moreover, there is a social aspect to it, as it seems that lately some admins who return after several years of relative dormancy are sorely inadequate in current guidelines, policy, and practices, which can and has frustrated the community quite a bit. I would also propose a "graduated" approach to asking for the bit back given the following conditions: those inactive over a year may ask a bureaucrat for the bit back with no problems, while those inactive for two or more years would need to go through another RFA to get it back. –MuZemike 21:40, 1 June 2011 (UTC)
- Comment with regards to damage, with a normal account its been suggested that you can push an XfD in one direction or another. The issue with that is that actually lots of people get involved in those kinds of discussions, and so while you might be able to push a discussion from no-consensus to delete or from delete to no-consensus you aren't going to be able to do more than that - and you have to make different arguments with each different account, and use a different writing style, both of which are hard to do effectively.
- You might be more able to influence a discussion on a single talk page with multiple accounts, but that is very small scale, and you risk getting caught if the user asks for any mediation of the dispute, and even there you have to keep your arguments different and your writing styles different - it would be really obvious if you left any tells due to the small numbers in the discussion. If hypothetically there were two people in this discussion who were actually the same person it would be pretty hard as you'd have to check every pair on the same "side", even if you knew one of them it would be pretty hard, whereas in a talk page discussion if two out of the three people on one side of the discussion started making the same tell then it would be obvious they were the same person.
- With an admin account sure if you start being really unsubtle you're going to get caught, as the person has here, but actually its pretty clear that as an admin you get quite a bit of discretion - especially when you aren't interacting with a regular. Even more so if you were prepared to withdraw your disruptive admin decisions when they got to your talk page (or even when it got to ANI) its certainly my experience that the possibility exists that you could get away with quite a lot without anyone realising. -- Eraserhead1 <talk> 21:52, 1 June 2011 (UTC)
- With any anonymous open-to-all internet group like we have at Wikipedia, it would be unreasonable to assume that none of our current accounts are compromised. Surely, at least some of our accounts are not the editors who originally started them, as accounts can be passed on or shared without the communities knowledge. If someone were smart and unscrupulous, they could make a business of starting and selling off admin accounts to PR firms and corporations. Study RfAs, become an admin, and then advise the buyer on how to remain unnoticed. I don't think it is likely, but it is certainly possible. ▫ JohnnyMrNinja 22:06, 1 June 2011 (UTC)
- ...and why would people not do the same with non-admin accounts? Create a new account, vandal fight using automated tools such as a modified version of AWB disguised as twinkle (perhaps even creating the vandalism with throw-away socks), rack up several thousand edits or more and sell the account off to a similar buyer. This is done all the time with in-game currency and other non-tangible items of value, and you can't say that this hasn't or isn't occurring here. --Tothwolf (talk) 02:18, 2 June 2011 (UTC)
- Sorry that wasn't clear, I meant that it's likely it happens across the board, and possibly with admin accounts. The anonymous nature of the site means that we will never know how many accounts are being run by someone other than the person who started the account. I meant this more as a comment on the comment before, and it doesn't actually have much bearing on the conversation at hand. If a regular account is compromised and starts making slightly different edits, but not making waves, it doesn't really matter in the long run. It's not worse than the 500 edits a day adding the word "poo" in amusing places. ▫ JohnnyMrNinja 03:06, 2 June 2011 (UTC)
- Ah, ok, I guess I misunderstood you then. "The anonymous nature of the site means that we will never know how many accounts are being run by someone other than the person who started the account." That I do agree with. I guess the way I could sum up what I was saying above, is anytime you have something such as a user account which could have any sort of monetary value, you will also have people interested in the buying/selling/trading of such "goods". Even low-userid accounts on Slashdot have not been immune to this.
"If a regular account is compromised and starts making slightly different edits, but not making waves, it doesn't really matter in the long run." Just to play devil's advocate for a moment, but would the same not be true for an admin account? ;P In the old days, admin functions were handled with a single shared account which lots of people had access to. Perhaps over time we've gone too far in other direction in restricting the admin bit too much and have in effect made the admin bit more "valuable" than it should be, both to those who might buy/sell/trade accounts and as a status symbol for those who have it but don't actually use the tools it provides access to? --Tothwolf (talk) 18:02, 4 June 2011 (UTC)
- Ah, ok, I guess I misunderstood you then. "The anonymous nature of the site means that we will never know how many accounts are being run by someone other than the person who started the account." That I do agree with. I guess the way I could sum up what I was saying above, is anytime you have something such as a user account which could have any sort of monetary value, you will also have people interested in the buying/selling/trading of such "goods". Even low-userid accounts on Slashdot have not been immune to this.
- Sorry that wasn't clear, I meant that it's likely it happens across the board, and possibly with admin accounts. The anonymous nature of the site means that we will never know how many accounts are being run by someone other than the person who started the account. I meant this more as a comment on the comment before, and it doesn't actually have much bearing on the conversation at hand. If a regular account is compromised and starts making slightly different edits, but not making waves, it doesn't really matter in the long run. It's not worse than the 500 edits a day adding the word "poo" in amusing places. ▫ JohnnyMrNinja 03:06, 2 June 2011 (UTC)
- ...and why would people not do the same with non-admin accounts? Create a new account, vandal fight using automated tools such as a modified version of AWB disguised as twinkle (perhaps even creating the vandalism with throw-away socks), rack up several thousand edits or more and sell the account off to a similar buyer. This is done all the time with in-game currency and other non-tangible items of value, and you can't say that this hasn't or isn't occurring here. --Tothwolf (talk) 02:18, 2 June 2011 (UTC)
- Clearly you aren't familiar with how such people operate then. If someone manages to gain access to an admin account, they are going to use the tools and that gets noticed. Abuse of non-admin accounts can go on for much longer periods of time and results in much more long term harm to Wikipedia and editor morale. --Tothwolf (talk) 02:16, 2 June 2011 (UTC)
- With any anonymous open-to-all internet group like we have at Wikipedia, it would be unreasonable to assume that none of our current accounts are compromised. Surely, at least some of our accounts are not the editors who originally started them, as accounts can be passed on or shared without the communities knowledge. If someone were smart and unscrupulous, they could make a business of starting and selling off admin accounts to PR firms and corporations. Study RfAs, become an admin, and then advise the buyer on how to remain unnoticed. I don't think it is likely, but it is certainly possible. ▫ JohnnyMrNinja 22:06, 1 June 2011 (UTC)
- Support the general principle. I'm not crazy about notifying the admin one month in advance. If their e-mail account had been compromised, sending an e-mail to them is an invitation for impostors. A Quest For Knowledge (talk) 22:03, 1 June 2011 (UTC)
- Oppose, but not strongly so. My line of thinking is pretty much the same as fetchcomm's above. We haven't had any problem de-sysoping compromised accounts, and I think anyone that's managed to be an admin for any length of time would have the sense to look around to see what's changed. (at least I'd hope so). — Ched : ? 01:18, 2 June 2011 (UTC)
- Support. Don't think it'll be that big a win in terms of protection from compromise, but I don't perceive any tangible disadvantage; and while I'm a respecter of tradition, I don't think this one has anything but inertia behind it. Choess (talk) 03:39, 2 June 2011 (UTC)
- Support—It's surprising this procedure doesn't exist already; important for the protection of the project and us as editors. Tony (talk) 03:48, 2 June 2011 (UTC)
- Oppose, further discussion on both issues is necessary (account security, and the problem of inactive admins). This proposal in its current form doesn't solve either problem. --Chris 06:24, 2 June 2011 (UTC)
- Support -- industry best practice to prevent identity theft should be regarded as an essential precaution for the protection of both readers and editors, and not a right for the duration of the account. --Ohconfucius ¡digame! 08:05, 2 June 2011 (UTC)
- Support - Admin tools never expire? Why? Lightmouse (talk) 09:53, 2 June 2011 (UTC)
- Support, deactivating inactive accounts is generally a good practice in terms of securing computer systems. In regard to the security issues, I would suggest that there is also a danger from a hacker who does not make their presence known, since since admins have access to places normal editors do not. I do not think we should assum that we can spot a bad actor by their bad actions. There's no emergency here, but if we notify inactive admins and create a low bar for an automatic bit flip, I see little down side. --Nuujinn (talk) 10:09, 2 June 2011 (UTC)
- Those are all excellent points. 28bytes (talk) 15:20, 2 June 2011 (UTC)
- Oppose - We've only had 2 cases where former admins had their accounts hijacked, one being User:RickK and the other I forgot. But I remember seeing MULTIPLE Signpost articles about current admins having their accounts hijacked, there was one last year involving 5/6 IIRC. This proposal just adds unnecessary work for stewards and the threat lies purely with current admins. —James (Talk • Contribs) • 10:10pm • 12:10, 2 June 2011 (UTC)
- I don't know if there is a list somewhere, and these aren't easy to research, but User:RickK, User:Spencer195, User:Vancouverguy, User:Zoe (best quote ever). These are the ones that I saw before I got tired of cross-referencing. There don't appear to be a ton of admins that were banned for being compromised after a period of inactivity. These are the ones that made it obvious enough that they got banned instead of de-sysoped or going unnoticed. It's not like there is a noticeboard that admins post to when they come back from a 3 year furlough and now have different interests. ▫ JohnnyMrNinja 14:09, 2 June 2011 (UTC)
- "The threat lies purely with current admins" is an odd thing to say given that this proposal was sparked in part by a 6-year-inactive admin account being recently compromised. 28bytes (talk) 15:20, 2 June 2011 (UTC)
- I don't know if there is a list somewhere, and these aren't easy to research, but User:RickK, User:Spencer195, User:Vancouverguy, User:Zoe (best quote ever). These are the ones that I saw before I got tired of cross-referencing. There don't appear to be a ton of admins that were banned for being compromised after a period of inactivity. These are the ones that made it obvious enough that they got banned instead of de-sysoped or going unnoticed. It's not like there is a noticeboard that admins post to when they come back from a 3 year furlough and now have different interests. ▫ JohnnyMrNinja 14:09, 2 June 2011 (UTC)
- If there is a problem with current admins being hijacked, that suggests we should also improve security for them. That might include requiring secure login, committed identity and minimum password length. But that should be a separate proposal, and it doesn't argue against the current proposal.--agr (talk) 16:26, 2 June 2011 (UTC)
- Support The fact that we continue to use the default of keeping permissions in place indefinitely just because there is no policy stating otherwise is foolish and contributes to the perception of admin as a rank, status, or award. I do not find any of the opposes to be convincing in any way as this proposal does no harm to the project, and may have the ability to protect it. Even if the occasion of a compromised account is rare, there is no good reason to leave the temptation out there as a juicy target for those who seek to do damage. Suspension of admin rights on inactive accounts is easily reversible, and should be subject to the discretion of Crats to ensure that returning admins are up to date on policy changes. This can be as simple as the word of the returning admin if a crat is satisfied with that. Jim Miller See me | Touch me 13:45, 2 June 2011 (UTC)
- Support - this seems like a reasonable step to give some protection against hacked accounts and folks with out-of-date knowledge. Is it perfect? Of course not, but it would be a step better than leaving these accounts on the books, and the opposers have not convinced me of any actual harm in doing it. Slight positive with no negative yields a net positive for the project. LadyofShalott 14:16, 2 June 2011 (UTC)
- Support I take the point that inactive accounts are no more likely to be compromised than active ones. However, active ones are doing good, while inactive ones are not - so there's no loss to suspending rights. Further, we will eventually get to the point where inactive accounts outweigh actives ones - so removing the inactive ones will significantly lower the total number of accounts, which can't but improve security. Note, I am supporting this only on the basis that it is a no-fuss easily reversed suspension. The gain is not sufficient to justify the bureaucracy involved in any process for retrieval of rights. Bureaucrats should by default restore on request (always allowing for an exercise of common sense in exceptional circumstances).--Scott Mac 17:11, 2 June 2011 (UTC)
- Support I endorse the concept of not having dangling privileges out there for any holder of advanced privileges beyond a specific date of inactivity. We don't want people who successfully got autopatrolled to go on a extended holiday and come back writing new articles very questionable conformity to standards. Equally, If an admin is inactive for over a year and a half, I want them to do some editing first to demonstrate that they understand policies before we hand the keys to the janitorial supply closet back. Yes it means a fractional increase in the amount of work the Burecrats will do, but in the long run it reduces the possibility of actions not in confirmity with the community's consensus. Hasteur (talk) 20:46, 2 June 2011 (UTC)
- Oppose - As written, this just creates a false sense of security (albeit for something that isn't really a significant security risk). As long as the desysopping can be undone by a simple post to WP:BN it's like taking away someone's keys and then hiding them under the doormat. The "identity is not in dispute" clause does little to mitigate this because unless they're acting strangely there would be no grounds for such a dispute. The only way this would work would be to reverse the clause and somehow require positive confirmation of identity and/or require all of them to do a reconfirmation RFA. Mr.Z-man 22:16, 2 June 2011 (UTC)
- Forcing them to appear publicly and re-request the permissions brings them to light. People would be much more likely to notice suspicious behaviour then, whereas they wouldn't if they were just allowed to start using their admin powers again without having to get them back from a bureaucrat. -- Eraserhead1 <talk> 22:23, 2 June 2011 (UTC)
- Spencer195 did nothing suspicious after returning and was still caught before causing any damage. Vancouverguy was blocked within 3 minutes of making an edit. RickK and Zoe turned themselves in. Looking for "suspicious behavior" is just as vague as "identity is not in dispute." What would be suspicious without also being obvious? I would presume that if someone is capable of hacking an inactive admin account, they're also capable of lying low for a few days. Mr.Z-man 22:56, 2 June 2011 (UTC)
- "[...] it's like taking away someone's keys and then hiding them under the doormat." Except that the keys aren't even being hidden under the doormat, they are sticking out of the lock on the door. --Tothwolf (talk) 18:16, 4 June 2011 (UTC)
- Because most people don't spend all their time following the logs, it would be possible to admin in a poor manner, or just use the powers to view deleted content etc.
- And while the keys might be on display to extend your analogy they have to walk into the courthouse and publicly register with the court clerk that they want their keys back. -- Eraserhead1 <talk> 18:18, 4 June 2011 (UTC)
- "Because most people don't spend all their time following the logs," Perhaps you don't, but others do spend a good deal of time removing changes and logs.
"it would be possible to admin in a poor manner," Uhm, and this has already happened many times without accounts being compromised.
"or just use the powers to view deleted content etc." ...and why would it ever matter if someone could view deleted content? We aren't talking about oversighted material here.
"they have to walk into the courthouse and publicly register with the court clerk that they want their keys back." No, a court clerk would require some form of positive identification. In this case the person operating the account only has to make an anonymous post to a noticeboard with no further identification in order to have the admin bit restored. --Tothwolf (talk) 19:16, 4 June 2011 (UTC)
- "Because most people don't spend all their time following the logs," Perhaps you don't, but others do spend a good deal of time removing changes and logs.
- You keep banging on about password strength Tothwolf, but that's a very small part of the picture. Were I so inclined I could very easily get hold of the password for one of the long-abandoned admin accounts, without having to bother with a password-cracker. Malleus Fatuorum 18:22, 4 June 2011 (UTC)
- Indeed it is a small part of the overall picture, but removing the admin bit itself fixes absolutely nothing. "Were I so inclined I could very easily get hold of the password for one of the long-abandoned admin accounts, without having to bother with a password-cracker." As could a good many "well established" editors, and that would not be limited to "long-abandoned" accounts either. That however, is an argument for RfA reform. Given that, why would anyone ever even need a password cracker? (I won't say much more on that per WP:BEANS.) --Tothwolf (talk) 19:22, 4 June 2011 (UTC)
- I think I already said that there's no need of a password-cracker. as for RfA, well, that's just a hopeless basket-case. But one thing it fixes is the persistent illusion that wikipedia has 1800 administrators. Which it might do, but only if you believe in zombies. Malleus Fatuorum 19:31, 4 June 2011 (UTC)
- "[...] as for RfA, well, that's just a hopeless basket-case." I previously thought the same thing about some other things here on Wikipedia, but those eventually began to change, so even if it is optimistic thinking at this point, I hope RfA does begin to improve. --Tothwolf (talk) 19:41, 4 June 2011 (UTC)
- It won't, it can't, and it may well be the death of wikpedia Mk I. Malleus Fatuorum 21:57, 4 June 2011 (UTC)
- The in the news section has become much more productive with hard work, there's no reason other sections of the site cannot improve too. Can't is the enemy of improvement. -- Eraserhead1 <talk> 21:59, 4 June 2011 (UTC)
- It won't, it can't, and it may well be the death of wikpedia Mk I. Malleus Fatuorum 21:57, 4 June 2011 (UTC)
- "[...] as for RfA, well, that's just a hopeless basket-case." I previously thought the same thing about some other things here on Wikipedia, but those eventually began to change, so even if it is optimistic thinking at this point, I hope RfA does begin to improve. --Tothwolf (talk) 19:41, 4 June 2011 (UTC)
- I think I already said that there's no need of a password-cracker. as for RfA, well, that's just a hopeless basket-case. But one thing it fixes is the persistent illusion that wikipedia has 1800 administrators. Which it might do, but only if you believe in zombies. Malleus Fatuorum 19:31, 4 June 2011 (UTC)
- Indeed it is a small part of the overall picture, but removing the admin bit itself fixes absolutely nothing. "Were I so inclined I could very easily get hold of the password for one of the long-abandoned admin accounts, without having to bother with a password-cracker." As could a good many "well established" editors, and that would not be limited to "long-abandoned" accounts either. That however, is an argument for RfA reform. Given that, why would anyone ever even need a password cracker? (I won't say much more on that per WP:BEANS.) --Tothwolf (talk) 19:22, 4 June 2011 (UTC)
- Forcing them to appear publicly and re-request the permissions brings them to light. People would be much more likely to notice suspicious behaviour then, whereas they wouldn't if they were just allowed to start using their admin powers again without having to get them back from a bureaucrat. -- Eraserhead1 <talk> 22:23, 2 June 2011 (UTC)
Suspend sysop rights after 1 year of inactivity - arbitrary break 3
edit- Support Sounds like simple common sense. A year is an awfully long time, after all. Andrew Lenahan - Starblind 01:05, 3 June 2011 (UTC)
- Support - I like RD232's caveats, and I think a good faith straightforward resysop for admins whose conduct has not been egregious before a long break is not bad either. I like the idea of getting a better idea of admin numbers. Casliber (talk · contribs) 01:52, 3 June 2011 (UTC)
- Provided good-faith re-sysop process exists, this is quite reasonable -- Samir 03:38, 3 June 2011 (UTC)
- Support - I agree this is just common sense. --Kumioko (talk) 03:53, 3 June 2011 (UTC)
- Support - Once again, this is common sense. Swarm X 00:45, 4 June 2011 (UTC)
- Support. Standard good security practice. Per Nuujinn above, the problem is not only with what admins can do, but with what they can see. An "inactive" account could be being used unethically and we wouldn't know. —SMALLJIM 13:06, 4 June 2011 (UTC)
- Oppose Per the reasons that lead to the rejection of Wikipedia:Inactive administrators (2005) and Wikipedia:Requests for adminship/desysop poll. Any proposal that removes permissions based on temporary inactivity will make it less likely that admins return to their former activity, even if the barrier is low. Per Wikipedia:PEREN#Demote inactive admins, inactive accounts are much less likely to be compromised than active accounts, so the security angle is not really a good reason to support this proposal. And as Mr.Z-man notes correctly above, a low barrier solution will be completely useless because a simple request to WP:BN is not suspicious at all if you don't act completely stupid. Someone could hijack an account, re-request the mop, wait a few weeks and then run amok. People would only be more alert the first few days after the request, not for weeks or months. And any higher barrier like a new RFA will just lead to those users never returning at all. Regards SoWhy 18:06, 4 June 2011 (UTC)
- I don't think you can a complete break of a year "temporary". I think some evidence needs providing for inactive accounts being less likely to be compromised, they are probably much more likely to be compromised as the real account holder isn't around to figure out what has happened.
- The point about a low barrier solution is that it forces the inactive user to step forward publicly and given its unlikely to happen they are an obvious user to keep an eye on, whereas without it they can run amok without publicising themselves, and most people don't spend their time checking through the logs to detect these things. -- Eraserhead1 <talk> 18:12, 4 June 2011 (UTC)
- Why not? If I have to work in a part of the world for a year that has no internet, I do intend to come back after that period. "Temporary" just means "for a certain period of time", it does not mean "for a short time". So the burden of proof that those people really do not intend to come back falls on those who wish to desysop them. As for the likelihood, the devs have said so, so we could probably ask them. But I think there are several reasons to assume that this is true. As far as I know, often accounts are compromised by tricking an admin or by hijacking it using a manipulated script or website. Those methods only work when the admin is active. On the other hand, the only way to take over an inactive admin's account is by brute-forcing / guessing the password, hacking their mail account and requesting a new password or by exploiting a vulnerability in MediaWiki. All those methods work the same for active admins though, so there is no method that works better just because someone is inactive. If someone got into my account while I was away on vacation, it would be the same as if I had been inactive for three years. As for the other argument, I think there was plenty evidence provided above that compromised accounts will be spotted quickly anyway once they run amok, so there is no benefit in the "stepping-forward". Regards SoWhy 19:00, 4 June 2011 (UTC)
- Firstly where in the world doesn't have internet access? And in the extremely unlikely case someone going somewhere where internet access is very limited - not that I can think of any - then they can request re-sysop on their return, or they can tell people before they leave that's what they are doing.
- The fundamental difference with an active account is that the active user is around to complain about anyone taking over their account. -- Eraserhead1 <talk> 19:12, 4 June 2011 (UTC)
- Quite. And the point that reactionaries like SoWhy are so reluctant to address is that if the present system is allowed to continue then one day there will be more wikipedia administrators than there are people alive on the Earth. It's already ridiculous to see claims that there are something like 1800 administrators; what there are are perhaps 1800 users who have passed RfA, some of whom are undoubtedly now dead and others who have lost interest. Malleus Fatuorum 19:18, 4 June 2011 (UTC)
- Actually, taking a year or more off isn't that uncommon. Why? To start with, see Conscription and Peace Corps. --Tothwolf (talk) 19:32, 4 June 2011 (UTC)
- Taking a year off is fine, but why should the account of an absent user retain advanced rights during that time when they clearly can't be used? Malleus Fatuorum 19:37, 4 June 2011 (UTC)
- And even if you did take a year off you'd still have internet access. -- Eraserhead1 <talk> 19:39, 4 June 2011 (UTC)
- Perhaps the real problem is looking at the admin bit as "advanced rights". WP:NOBIGDEAL, right? --Tothwolf (talk) 19:45, 4 June 2011 (UTC)
- You can claim that being an admin isn't really a big deal, but I don't think its fair to argue that admins don't have advanced permissions when that is manifestly false. -- Eraserhead1 <talk> 19:47, 4 June 2011 (UTC)
- (edit conflict)When Jimbo said that, Wikipedia had 107 regular and 550 occasional editors. The Wikipedia of more than eight years later is not the same place. – iridescent 19:49, 4 June 2011 (UTC)
- "The Wikipedia of more than eight years later is not the same place." Indeed, Wikipedia has since become a lot more biased, elitist, and dysfunctional, hence one of the major reasons why we now have a significant problem with retaining skilled contributors. [4] [5] --Tothwolf (talk) 20:04, 4 June 2011 (UTC)
- You seem to be drifting from the plot, unless you're trying to make the extremely dubious claim that inactive administrators are skilled contributors. Or indeed contributors at all. Malleus Fatuorum 20:20, 4 June 2011 (UTC)
- "The Wikipedia of more than eight years later is not the same place." Indeed, Wikipedia has since become a lot more biased, elitist, and dysfunctional, hence one of the major reasons why we now have a significant problem with retaining skilled contributors. [4] [5] --Tothwolf (talk) 20:04, 4 June 2011 (UTC)
- I find it hard to believe that anyone with enough strength of character to put in a year's worth of their life into the Peace Corps would find checking in at the crats' desk to say "I'm back, please resysop" to be an unbearable burden. 28bytes (talk) 19:51, 4 June 2011 (UTC)
- Taking a year off is fine, but why should the account of an absent user retain advanced rights during that time when they clearly can't be used? Malleus Fatuorum 19:37, 4 June 2011 (UTC)
- Why not? If I have to work in a part of the world for a year that has no internet, I do intend to come back after that period. "Temporary" just means "for a certain period of time", it does not mean "for a short time". So the burden of proof that those people really do not intend to come back falls on those who wish to desysop them. As for the likelihood, the devs have said so, so we could probably ask them. But I think there are several reasons to assume that this is true. As far as I know, often accounts are compromised by tricking an admin or by hijacking it using a manipulated script or website. Those methods only work when the admin is active. On the other hand, the only way to take over an inactive admin's account is by brute-forcing / guessing the password, hacking their mail account and requesting a new password or by exploiting a vulnerability in MediaWiki. All those methods work the same for active admins though, so there is no method that works better just because someone is inactive. If someone got into my account while I was away on vacation, it would be the same as if I had been inactive for three years. As for the other argument, I think there was plenty evidence provided above that compromised accounts will be spotted quickly anyway once they run amok, so there is no benefit in the "stepping-forward". Regards SoWhy 19:00, 4 June 2011 (UTC)
- "...a low barrier solution will be completely useless because a simple request to WP:BN is not suspicious at all if you don't act completely stupid. Someone could hijack an account, re-request the mop, wait a few weeks and then run amok." - that doesn't make it "completely useless", it makes it less than perfect. It's also why I specified condition (ii) in my Conditional Support: "after desysopping, 1 month of reasonable activity levels required after return, before resysopping on request at WP:BN." That requires slightly more commitment by a hijacker, and more chance of detection of something amiss before getting admin rights. It's also an approach which is particularly relevant when you think about the significance of access to Viewdelete rights (see discussion below). Rd232 talk 17:44, 5 June 2011 (UTC)
- Support Someone not using the tools won't really miss them. -- WOSlinker (talk) 21:49, 4 June 2011 (UTC)
- Support. Wikipedia needs editors who are ready, willing, and able. An absentee admin is of no use to the project.--Brianann MacAmhlaidh (talk) 06:20, 5 June 2011 (UTC)
- Support I see no reason no reason to say no --Guerillero | My Talk 18:02, 5 June 2011 (UTC)
- Obvious Support; the sysop bit is no big deal, it would be nice to get a better sense of our actual admin #'s and I don't see any issue with inactive editors beign de-sysopped. --Errant (chat!) 20:02, 5 June 2011 (UTC)
- Support; it mitigates a real risk at minimal cost. Removing some rights from long-idle accounts is best practice in IT security - I would point out that the current proposal is considerably lighter (much longer period and much smaller change to user rights) than is the norm in the organisations I advise. bobrayner (talk) 23:59, 5 June 2011 (UTC)
- 'Support - Though I think 1 year is too short a period especially for planned wikibreaks to necessitate de-sysoping. That can be amended later. Marcus Qwertyus 00:24, 6 June 2011 (UTC)
- Oppose – This just seems like we aren't attacking the root of the issue—insecure passwords. Forcing all admins to make their passwords a certain strength, and resetting old admin passwords (along with sending emails to the confirmed emails) that aren't as secure, would be a better way to solve the actual issue, which is a security issue. Desysopping doesn't actually solve the issue, and active admins could also be targeted if they have insecure passwords. —mc10 (t/c) 01:01, 7 June 2011 (UTC)
- That sort of thing can be done in addition (and I'd welcome more input at Wikipedia:Village pump (proposals)/Account security). But you seem to overlook the fact that many inactive admins may now not have valid email addresses specified (or if they do, may ignore requests to improve password strength, whilst sending out new passwords blindly is bad security practice and liable to piss people off to boot). Desysopping is a simple and effective solution for improving security in relation to people no longer participating in the project. Rd232 talk 02:09, 7 June 2011 (UTC)
- Support per 28bytes and bobrayner. Shubinator (talk) 02:45, 8 June 2011 (UTC)
- Support. I took a multi-year wikibreak once (before I was an admin), and if I took another I would hardly be astonished or upset if upon returning I found a message on my talk page telling me that my privileges had been suspended due to inactivity. Some other Wikimedia projects have activity requirements for admins, some harsher than what is proposed here. This is the sort of obvious security measure that should have been part of adminship from the very beginning. Should there be other security measures? Yes, and that is being discussed elsewhere. And yes, a savvy hacker might defeat this measure and others proposed as well. But that does not mean this idea isn't helpful; a single change does not need to solve every problem to be a good idea. --RL0919 (talk) 15:09, 8 June 2011 (UTC)
- Support Not convinced of a substantial security risk but the real question is why this wasn't implemented before. 1 edit a year or the inconvienance of posting once annually on BN (which would seem to count as that one edit) isn't exactly much to ask. Bob House 884 (talk) 21:33, 8 June 2011 (UTC)
- Oppose per the general 'solution in search of a problem' argument. I simply don't see what benefit this offers. The disruption which could occur from a compromised admin account is the same for an active one as for an inactive one. The probability of one being compromised depends on the security of their password, not on their level of activity. And the likelihood of a compromised account being spotted depends on how conspicuous their mischief is: deleting the Main Page is quite obvious but viewing deleted revisions is not. This proposal really makes no difference. ╟─TreasuryTag►assemblyman─╢ 09:08, 9 June 2011 (UTC)
Define: A = number of active admin accounts, I = number of inactive admin accounts (definition of inactivity doesn't matter for the logic, but let's say no edits for 1 year, as per proposal) Define: S1 = insecurity of active accounts (0-1 variable: 0=perfect security, 1=complete insecurity), S2 insecurity of inactive accounts. Then
Risk of any admin account being breached = (A * S1) + (I * S2)
For there to be zero benefit from the proposal, either I needs to be zero (no inactive admin accounts), or S2 needs to be zero (i.e. inactive accounts have perfect security). Clearly neither is true, and therefore the proposal has security benefits, by reducing I to zero. Quod erat demonstrandum. Rd232 talk 09:46, 9 June 2011 (UTC)
- I'm not sure that an equation is the best way to look at this. The only way this proposal could have benefit is if it decreases S2 – and I, along with several others by the look of it, don't see that it does. The other point is that initiating a major change must have not just some benefit beyond zero, but a significant benefit. And as I've pointed out just above, there is no greater risk of an inactive account actually being compromised than an active account; no greater potential for disruption; and no decreased possibility of it being spotted simply due to its inactive status. I agree that compromised admin accounts in general are a problem, but this proposal seems to only focus on one arbitrary part of that problem. ╟─TreasuryTag►without portfolio─╢ 10:00, 9 June 2011 (UTC)
- "I'm not sure that an equation is the best way to look at this." - it is, it makes it clear and simple. I'm sorry you still don't get it. Rd232 talk 10:31, 9 June 2011 (UTC)
- Or perhaps I (and the other opposers) do get it but simply disagree with you? ╟─TreasuryTag►tortfeasor─╢ 10:35, 9 June 2011 (UTC)
- I'm not talking about all opposition, I'm talking about people denying that the proposal has any security benefit. The equation proves this is untrue. Rd232 talk 11:02, 9 June 2011 (UTC)
- Or perhaps I (and the other opposers) do get it but simply disagree with you? ╟─TreasuryTag►tortfeasor─╢ 10:35, 9 June 2011 (UTC)
- "I'm not sure that an equation is the best way to look at this." - it is, it makes it clear and simple. I'm sorry you still don't get it. Rd232 talk 10:31, 9 June 2011 (UTC)
- In short, I feel that the proposal is vaguely like the police saying, "In order to fight crime, we're going to randomly select ten ordinary houses and station officers outside them round the clock." Yes there is obviously a benefit above zero, because those ten houses will be safe from burglary, but they were no more likely to be burgled than any others to begin with. Concentrating security efforts on an arbitrary group of potential targets is a bad approach for all sorts of reasons. ╟─TreasuryTag►high seas─╢ 10:04, 9 June 2011 (UTC)
- What part of deactivating unused accounts with high privileges is random? It's nothing like your analogy, it's more like deactivating keycards from employees who haven't been seen or heard from in a year. Rd232 talk 10:31, 9 June 2011 (UTC)
- What part of deactivating unused accounts with high privileges is random? It's not random but arbitrary: a subtle distinction. Is there anything about an inactive account which makes it easier to compromise? Yes or no? ╟─TreasuryTag►tortfeasor─╢ 10:35, 9 June 2011 (UTC)
- Your question demonstrates that you have not understood the equation. It is irrelevant whether S2 is greater than S1 (which it obviously is, the discussion at the security RFC indicates why), the only thing that matters is that the total security risk from inactive accounts is simply I*S2. That total risk can be reduced to zero by the proposal ("yes or no?"). PS how is targeting inactive accounts arbitrary? "Yes I don't work here any more but deactivating my keycard is arbitrary, what about the people who still do?" Rd232 talk 11:02, 9 June 2011 (UTC)
- People no longer working for a specific employer traditionally go through a slightly more formalised process than people who simply don't use a particular online login for x months. ╟─TreasuryTag►Alþingi─╢ 11:04, 9 June 2011 (UTC)
- So? You're nitpicking about the analogy, which is funny given the extraordinary weakness of your police officer analogy above. Bottom line: deactivating unused high-privilege logins is standard security practice. Rd232 talk 11:28, 9 June 2011 (UTC)
- ...given the extraordinary weakness of your police officer analogy above. Since you seem not to be behaving with the politeness and open-ness to others' points of view which I generally see from you, I'll withdraw from this line of discussion. ╟─TreasuryTag►constablewick─╢ 11:51, 9 June 2011 (UTC)
- There are clearly at least some security benefits of doing this (given its standard IT policy, I'd say some was probably an understatement), and given that only one inactive for longer than a year admin has come back, the price of doing it seems pretty minor. -- Eraserhead1 <talk> 23:36, 9 June 2011 (UTC)
- To give a better analogy, why does no operating system (since XP) allow users to run as root by default? Giving users extra privileges makes it easier to run their computers, but it also introduces security risks, so that's why you don't give people root access by default, and have sudo or UAC. -- Eraserhead1 <talk> 23:41, 9 June 2011 (UTC)
- There are clearly at least some security benefits of doing this (given its standard IT policy, I'd say some was probably an understatement), and given that only one inactive for longer than a year admin has come back, the price of doing it seems pretty minor. -- Eraserhead1 <talk> 23:36, 9 June 2011 (UTC)
- ...given the extraordinary weakness of your police officer analogy above. Since you seem not to be behaving with the politeness and open-ness to others' points of view which I generally see from you, I'll withdraw from this line of discussion. ╟─TreasuryTag►constablewick─╢ 11:51, 9 June 2011 (UTC)
- So? You're nitpicking about the analogy, which is funny given the extraordinary weakness of your police officer analogy above. Bottom line: deactivating unused high-privilege logins is standard security practice. Rd232 talk 11:28, 9 June 2011 (UTC)
- People no longer working for a specific employer traditionally go through a slightly more formalised process than people who simply don't use a particular online login for x months. ╟─TreasuryTag►Alþingi─╢ 11:04, 9 June 2011 (UTC)
- Your question demonstrates that you have not understood the equation. It is irrelevant whether S2 is greater than S1 (which it obviously is, the discussion at the security RFC indicates why), the only thing that matters is that the total security risk from inactive accounts is simply I*S2. That total risk can be reduced to zero by the proposal ("yes or no?"). PS how is targeting inactive accounts arbitrary? "Yes I don't work here any more but deactivating my keycard is arbitrary, what about the people who still do?" Rd232 talk 11:02, 9 June 2011 (UTC)
- What part of deactivating unused accounts with high privileges is random? It's not random but arbitrary: a subtle distinction. Is there anything about an inactive account which makes it easier to compromise? Yes or no? ╟─TreasuryTag►tortfeasor─╢ 10:35, 9 June 2011 (UTC)
- Any supposed security benefit is based on the assumption that desysopping an account inherently makes it safe. As I've said above, allowing users to simply get the rights back with a post to a noticeboard means that that assumption has little basis in reality. If someone can figure out how to hack an account, I imagine they're capable of manipulating a trivial process. I'd rather have a known security issue than a false sense of security. Mr.Z-man 01:58, 10 June 2011 (UTC)
- What part of deactivating unused accounts with high privileges is random? It's nothing like your analogy, it's more like deactivating keycards from employees who haven't been seen or heard from in a year. Rd232 talk 10:31, 9 June 2011 (UTC)
- Support; personally, what worries me is access to deleted pages and revisions. A compromised account that deletes the main page is not going to last long anyways, but it's entirely possible that a stolen admin account be used for this indefinitely. — Coren (talk) 11:11, 9 June 2011 (UTC)
- I agree - this sort of "silent abuse" is very hard to detect and combat (though I did just come up with something - Wikipedia:Village_pump_(proposals)/Account_security#Limit_viewdeleted_rights_for_admin_accounts). Reducing the number of compromisable accounts by pruning inactive ones is an obvious one though. Rd232 talk 11:32, 9 June 2011 (UTC)
- Support; This policy should be implemented as soon as possible. My76Strat talk 16:34, 9 June 2011 (UTC)
- Support. An obvious prophylactic. Any highly experienced user could think of some very nasty things to do with admin rights. I can think of some doozies that are far beyond anything any vandal has ever done, though obviously I'm not going into any specifics. If four accounts have been compromised, that makes a fifth not very unlikely and next time we could get a much smarter vandal.--Fuhghettaboutit (talk) 22:55, 9 June 2011 (UTC)
- Oppose lots of reasons, but SoWhy puts it very well. --Dweller (talk) 10:34, 14 June 2011 (UTC)
- Support - Per WP:USEITORLOSEIT. I additionally think it would be beneficial to have more accurate information as to exactly how many ACTIVE administrators there are at any moment. Regularized desysopping of inactive people would help get the count right. Carrite (talk) 15:27, 14 June 2011 (UTC)
- Oppose - if return of rights is automatic then this is just extra process that will require more time from bureaucrats and stewards without any appreciable security gain. WJBscribe (talk) 17:21, 14 June 2011 (UTC)
- It isn't clear that it will be automatic. That depends on how the closing admin closes the proposal. -- Eraserhead1 <talk> 17:58, 14 June 2011 (UTC)
- Support - Desysoping inactive accounts is sensible, and is done on other projects without any major issues. Even if benefits relating to security and having an accurate list of admins are minor, it it still worth doing. CT Cooper · talk 22:46, 14 June 2011 (UTC)
Suspend sysop rights after 1 year of inactivity - arbitrary break 4
edit- Support. Can't see any downside to this. It increases security and any admin who is inactive for over a year and wants their admin rights back can regain them extremely easily. Jenks24 (talk) 08:15, 18 June 2011 (UTC)
- Support. This is reasonable. Moray An Par (talk) 12:47, 19 June 2011 (UTC)
- Support. Something like this is way overdue. Now that WP is middle-aged (as Internet sites go) it needs to deal with problems such as this, and this seems reasonable and in no way an over-reaction. I perhaps would have preferred a shorter time perio (6 months?), but this will do. Beyond My Ken (talk) 22:15, 20 June 2011 (UTC)
- Support (unless I've !voted previously?) - No real reason not to. Eagles 24/7 (C) 23:29, 20 June 2011 (UTC)
- Support. Overdue. Jd2718 (talk) 02:31, 21 June 2011 (UTC)
- Support. Jenks24 nailed it above. Kcowolf (talk) 03:58, 21 June 2011 (UTC)
- Support as a minimum measure.--Cube lurker (talk) 12:47, 21 June 2011 (UTC)
- Support - This has been needed for ages and ages. LONG overdue. Those arguing that active admin accounts are at higher risk of being compromised ignores the fact that the more admin accounts we have, the greater chance that ONE or more of them can be compromised. Simple statistics. The ones not being used can be desysopped to lessen the total, not to mention keep the categories accurate and help people in need of help find an admin who is actually around and able to help them. There is no downside to this that I can see and arguments for the status quo just because "that's the way it's always been" aren't very convincing to me. - Burpelson AFB ✈ 13:05, 21 June 2011 (UTC)
- Support - Overdue and a proven security issue. See also WP:AN#Inactivity and security for another view on the issue. Mjroots (talk) 14:12, 21 June 2011 (UTC)
- Support - it's just good sense. J. Spencer (talk) 17:35, 21 June 2011 (UTC)
- Support not for security reasons but just to keep our list of active admins accurate and up-to-date. ElKevbo (talk) 17:47, 21 June 2011 (UTC)
- Weak Oppose Per others' analysis. This isn't a big problem requiring a big solution, and rogue admin accounts are not a substantial enough threat. But the way the proposal is crafted it is unlikely to do much harm except WP:CREEP and a little bit more work for Bureaucrats. --causa sui (talk) 19:56, 21 June 2011 (UTC)
- Support I thought I supported already, but it appears I didn't. This proposal has several real advantages and no noteworthy disadvantages as far as I can see. Yoenit (talk) 21:48, 21 June 2011 (UTC)
- Support I do not see the issue with asking the people that the community displayed their trust in to at least make one edit within every 365 days. As far as I can tell there is not even a restriction that says that it has to be a mainspace edit. They could just log in and make a comment on their own talk page, or if they know they're going to be away longer then the year there could be some way that before they leave that they could indicate this to prior to leaving so that they do not loose their status. This seems like something that should be done, though I'm not as concerned with the security issues, but just seems like common sense that those with power that are not around anymore should lose that power. I think that even when they come back they should have to go through some re-approval process by the community to gain back the rights, which assuming they left on good terms shouldn't be that much to ask and quick, maybe not a full RfA but maybe something similar because to not make a single edit on the site in a year makes me think that they no longer believe in the project. I know since I'm not a very experienced editor my opinion won't mean much but that is it. Jnorton7558 (talk) 06:21, 22 June 2011 (UTC)
- Support. Adminship is not a big deal. --Conti|✉ 00:20, 23 June 2011 (UTC)
- Support for security and tidiness of knowing who is an admin. Would support much lower time also. Some other active websites do this in two weeks(subject to an excpetion of the admin saying they are going to be away/holiday in advance.) Regards, SunCreator (talk) 02:12, 23 June 2011 (UTC)
- Support Security hazard, evolving policies, etc. True, all admin actions are reversible... but not easily. I know you can't do it anymore, but for example, it used to be possible for admins to delete pages such as United States that have a lot of revisions. The servers aren't happy when you delete something like that and restore it again. I'm sure there's other examples on MediaWiki of actions that would be quite difficult to reverse. --Rschen7754 07:13, 23 June 2011 (UTC)
- Weak support I don't find the limited evidence for compromised sysop accounts very compelling. Specifically there is absolutely no evidence suggesting that an inactive account is any more or less at risk than a semi active account or an account kept active in a perfunctory manner. However the downsides are limited and it is reasonable best practice to remove advanced permissions from people after they depart an organization. Protonk (talk) 15:07, 23 June 2011 (UTC)
- Support the concept strongly. But have some reservations about implementation. The phrasing "The admin will be contacted one month prior to the expiry of the one-year timeframe" has enough holes to drive a truck through. Contacted by whom? Exactly one month? Is more than a month OK? What if more than eleven months elapses before the email notification, is enforcement estopped? I'd prefer that notice be given at some time after a specified period, say eleven months (or twelve, to follow Rd232's suggestion), then after another 30 days, the bit can be removed.--SPhilbrickT 17:41, 23 June 2011 (UTC)
- I would imagine the clock starts after editing stops. So 11 months after the last edit, the system can leave a talk page message and an email (if available) and if the admin logs in at any point in that 11 months or in the last month after the notice the clock resets to another 11 months. Protonk (talk) 22:23, 23 June 2011 (UTC)
- Support This seems like common sense. Vitually every other website of any significance removes administrative permissions from people who vanish or simply stop logging in for an extended period of time. As other's I would also support a shorter timeframe, but a year is ok too. My primary concern is not one of someone going on a vandalism spree, in fact that would be easy to detect and not too hard to revert and deal with. What scares me is the administrator access to deleted pages and revisions, some of which are deleted for critical privacy reasons. I can very easily imagine someone with malicious intent compromising a dormant admin account and rather than editing, using it to view personal information that was specifically deleted so as not to be available to the public. Administratorship is a privilege given to people the community has trust in. Decreasing the number of accounts overall by desysopping long-dormant ones will in my eyes significantly reduce the overall number, resulting in fewer being available for people to try and compromise. And if someone comes back and wants their tools back, then asking a trusted bureaucrat and (theoretically) being checked out a bit by said 'crat is not to omuch to ask, nor is simply logging in and making an edit once a year. My guess is that most of the current admin accounts who have no edited in many years have no intention of using them again. Night Ranger (talk) 22:44, 23 June 2011 (UTC)
- (Conditional) Support So long as there are enough 'crats about that any requests made on 'crat chat are handled quickly, this seems like an eminently reasonable common sense proposal. If there are problems, we change it back to the status quo and reinstate any admins who are no longer active. Commons has similar activity requirements although they require admins perform an admin action - delete or block, say - to keep the admin bit, whereas this proposal just requires them to edit once in a while. There is only one slight point of contention though: a sensible solution would have to be found for people with higher user rights, namely 'crats, Checkusers, Oversighters. If a CU or OSer goes AFK for a year, it might be a bit strange for them to lose their sysop rights but still maintain the higher rights. —Tom Morris (talk) 15:55, 26 June 2011 (UTC)
- .... yeah, I might propose that as soon as this is over if it passes. The Resident Anthropologist (talk)•(contribs) 18:44, 26 June 2011 (UTC)
- The same thought occurred to me, and it turns out this is already handled by Arbcom. See Wikipedia_talk:Village_pump_(proposals)/suspend_sysop_rights_of_inactive_admins#Bureaucrats.2C_oversighters.2C_checkuser_etc.. Rd232 public talk 19:03, 26 June 2011 (UTC)
- Support. On balance, the risk of injury to the project seems greater from allowing a group of dormant, privileged accounts to linger unsupervised than from requiring minimal scrutiny over reactivation of those accounts. I would hope that the process for suspending admin status is open, transparent, and public. Hullaballoo Wolfowitz (talk) 18:57, 26 June 2011 (UTC)
- Support. It seems like a common sense thing, Sadads (talk) 21:22, 26 June 2011 (UTC)
- Support on condition that the admin is informed of whether or not he may face difficulties in regaining his status due to the circumstances under which he left.--Wehwalt (talk) 14:15, 27 June 2011 (UTC)
- Support. This goes without saying for me. It boggles the mind that we could, in the next few years, be coming across administrators who have not edited for a decade. The Cavalry (Message me) 15:02, 27 June 2011 (UTC)
- Support this proposal after I've had a chance to analyze the situation. There are three main reasons why this should be adopted practice:
- Inactive administrators may not be up-to-date on currently policies and how to handle situations, as especially seen with the cases on the administrator account Nabla as evidenced by this discussion and the administrator account Asterion as evidenced by this discussion.
- The security standpoint:
- The higher amount of administrator accounts there are, the higher the probability that a hacked account will also have sysop privileges, even when we ignore the fact that some of those administrators may still be active, as evidenced by the Spencer195 fiasco.
- There is also the possibility that an account with sysop privileges with have "silent abuse" with the view-deleted userright.
- Administrators did not know/worry about password strength and account security back then as much as the administrators of today do now.
- Newbies looking through Special:ListAdmins and trying to find an administrator to help them with something important that may require sysop privileges will be disappointed when they find many of the admins they are trying to contact are dead/retired/inactive.
- In my opinion drawn from these conclusions, there are far more benefits to removing advanced privileges from administrator accounts than there are harm to doing so. To the opposers, even if you argue that 2) there are higher chances of an active sysop account being hacked than an inactive one and 3) newbies should know already by looking at the retired template above inactive accounts, you cannot ignore 1. There is already evidence as seen by two different incidents on the administrators' noticeboard showing lack of knowledge or adherence to current policies and practices coming from inactive sysops. TeleComNasSprVen (talk • contribs) 20:06, 27 June 2011 (UTC)
- Support It's standard practice in many realms to remove privileges from those who no longer use them, whether for good reasons or for bad; simply abandoning the tools should be sufficient for no-fault de-sysopping, as long as it's made abundantly clear that these admins became former admins because of nothing that they did wrongly. Moreover, TeleComNasSprVen's final point is good: it doesn't help to have inactive people listed in places where others might request help. Building on ElKevbo's point, it's good to do a little house cleaning sometimes. Finally I do disagree with this proposal in one way: I would prefer to see a Commons style of inactivity de-adminship — policy there requires that someone who loses the rights due to inactivity must go through a new RFA. I'm happy to see someone re-adminned without an RFA if they lost the rights at their own uncontroversial request, but in many such cases, the users remain active and thus not likely to be compromised without us knowing it: since inactivity is the reason that these admins will be de-sysopped, we don't have as solid of a reason to believe that they're the same people as they originally were. Nyttend (talk) 04:53, 28 June 2011 (UTC)
- Support - as others have said, I find this to be uncontroversial, mainly for the security reasons. Logan Talk Contributions 05:13, 28 June 2011 (UTC)
- Support. Cla68 (talk) 13:13, 30 June 2011 (UTC)
- Support - This is a no-brainer as long as the admin can get their tools back just by asking for them. However, I'd go even farther and say that if an admin is inactive for a longer period of time (like 2 or 3 years), then the tools should be taken away permanently and they should be required to go through another RfA to get them back. After an admin is away for 2-3 years, it's reasonable to want to ensure that the admin is still familiar with the policies/guidelines, and is up to date on what has changed since they left. —SW— converse 17:22, 30 June 2011 (UTC)
Discussion
edit- Moved to talk page