Template:Committed identity/doc: Difference between revisions
m Protected "Template:Committed identity/doc": Highly accessed documentation page for user identification fallback. ([Edit=Require autoconfirmed or confirmed access] (indefinite) [Move=Require autoconfirmed or confirmed access] (indefinite)) |
→Obtaining a hash: clarify |
||
Line 28: | Line 28: | ||
=== Obtaining a hash === |
=== Obtaining a hash === |
||
Use [[toollabs:text2hash|Fastily's browser tool]] or software on your computer such as <code>sha512sum</code> provided in the [[GNU Core Utilities]]. |
Use [[toollabs:text2hash|Fastily's browser tool]] or software on your computer such as <code>sha512sum</code> provided in the [[GNU Core Utilities]]. The use of other online hash generators is not recommended, as they are outside Wikipedia's control and should not be trusted with your secret string. |
||
=== Choosing a good secret string === |
=== Choosing a good secret string === |
Revision as of 16:33, 4 June 2018
This is a documentation subpage for Template:Committed identity. It may contain usage information, categories and other content that is not part of the original template page. |
This template gives you a way to later prove that you are the person who was in control of your account on the day this template was placed. This is done by putting a code (called a "hash") on your user page so that, in the event that your account is compromised, you can convince someone else that you are really the person behind your username.
Why?
The intended use of this template is to help in the hopefully unlikely event that your account is compromised. If you published your real-life identity, then that identity could be used to reestablish contact with you if your account were compromised; keep in mind, in this scenario contact could not be established with you through your account, since it may be under the control of someone else. However, many Wikipedia users do not disclose their real-life identities, or disclose little enough of them that it may be difficult to establish their identity.
This is not a replacement for having a strong password, nor for registering an email address for your account. You should still do everything you can to prevent your account being compromised, including using a strong password and remembering to log yourself out when using a computer to which others may have access. If you have one, it may also be helpful to post your PGP public key. But even with the best of precautions, your account could become compromised, for instance, via a trojan horse or a brute-force attack on your password. This is intended to be a last resort.
How
The idea is to use cryptographic hashes; you choose a secret string known only to yourself, put it through a one-way hash function, and publish the result somewhere. It is infeasible to determine the secret string corresponding to the hash; hence, an attacker compromising an account presumably would not be able to supply the secret string.
Syntax
{{Committed identity|hash|hash function used|background=CSS color|border=CSS color|article=grammatical article for the hash function}}
Italicized text should be replaced with appropriate input, or its parameter should be removed. Parameters are represented by "parameter=value", and separated by vertical bars |.
- Replace "hash" with the hash produced from your secret string. This unnamed parameter is equivalent to a parameter named "1" (see parameters).
- The "hash function used" parameter, if not included, defaults to SHA-512. (This hash function is strongly recommended.)
- The "background" parameter, if not included, defaults to #E0E8FF (light blue, see Web colors#Hex triplet)
- The "border" parameter, if not included, also defaults to #E0E8FF.
- The "article" parameter, if not included, defaults to "a". The other likely value is "an".
For example, if your hash is "1eb00f7cdeaa38f5e9aec8f065b956acf94d416a4a40c1fb5d1dd23b857ba6fe" using SHA-256, and you want a light orange box with a black border, use the following code:
{{Committed identity|1eb00f7cdeaa38f5e9aec8f065b956acf94d416a4a40c1fb5d1dd23b857ba6fe|SHA-256|background=#FC9|border=#000}}
to produce
Obtaining a hash
Use Fastily's browser tool or software on your computer such as sha512sum
provided in the GNU Core Utilities. The use of other online hash generators is not recommended, as they are outside Wikipedia's control and should not be trusted with your secret string.
Choosing a good secret string
- Your secret string should end with a long string of random text like "fFfwq0DuDmMXj8hYTM3NTKeDhk". This ensures that brute force and dictionary attacks cannot infer your identity from your public hash.
- Your secret string should specify enough of your identity that, if the string were revealed, you could unambiguously prove that you match that identity. At least two means of contact is a good rule. For instance, your secret string could include a telephone number and email address at which you can be reached. However, it should not contain data that you are not willing to show to Wikipedia's administrative staff.
- Try not to choose a secret string that represents your identity that could go completely out of date. For instance, it may be bad to choose a string that specifies only your telephone number as that number might change.
- If you want to change your secret string, do so, but keep track of all your old secret strings. It is best to reveal all of them if you ever want to confirm your identity, as this will establish that you are the same person who used your account from the first moment the committed identity was published.
- Advanced options:
- If you have public accounts on other websites with different passwords, list URLs of those accounts. You can later take a specified action to prove that you own those accounts. For example, if you have a YouTube account, an administrator can provide a string which you then insert in a video comment.
- You may include information such as your driver's license number, national identification number, or passport number. You can then later supply copies of these documents as additional evidence to prove your identity.
- Another option is to take a photo or video of yourself, take a SHA hash of the resulting file, and include that hash in your secret string. Retain the file. You can then later supply the file to an administrator, and they can video call with you and compare the file with your current appearance. This will remain effective even if the attacker has compromised all your listed means of contact.
Example
full name, multiple forms of contact, contact information for trusted friends, and a random string:
Joe Schmoe. joe@example.com. 555-123-3456. P.O. Box 1234, San Jose, CA. My best friend Bob's email: bob@example.com. fFfwq0DuDmMXj8hYTM3NTKeDhk
which results in a SHA-512 hash of
See also
- Don't leave your fly open (essay)
- User:Unimaginative Username/Simple Committed ID Instructions
- Strong password
- Wikipedia:Changing username
- Wikipedia:Security
- Wikipedia Signpost: Committed identity
- Two-factor authentication
Code | Result | Transclusions | ||
---|---|---|---|---|
{{User:Anomie/Userbox committed identity|…}} |
|
Transclusions | ||
{{User:Urdna/CIDuserbox}} |
|
Usage | ||
{{Template:User CID}} |
|
Usage |