Last modified: 2011-03-19 23:46:34 UTC
It seem like that MediaWiki doesn't allow login using a hashed password. The bot's password can be easily viewed by other people. My suggestion is to support md5, sha1 or sha256 hashes so that the password can't be easily unhashed.
Which is exactly the same as normal login. Also, how are we supposed to then hash the password with a salt? (Note this is off the top of multiple head, no code access atm) Which also limits the hashing types... That and md5 isn't the most secure. And many lookup tables exist to try and get your password from the hash. Besides, if the zoo accepts hashes, if your hash is intercepted, you're back to square one. Also, if we expose the salt, it gives the same issues
Just set a password like a4d35e93d6c0787428f2fdf6a29457e0. If your bot can log into the wiki, an attacker which stole all your bot data could as well. If you don't like to store passwords into configuration files you can make the bot to only store the authentication in memory, and to forget the password as soon as it gets logged in. Some bots also offer a middle alternative, which is prompting for the password the first, and then working from the saved cookie. That cookie is password-equivalent, but at least the password is not published.