On 5/7/07, Mark Ryan <ultrablue(a)gmail.com>
wrote:
On 07/05/07, Blu Aardvark
<jeffrey.latham(a)gmail.com> wrote:
In addition, it should be entirely disallowed for
a user to create a
password containing the string "password" or that is identical to their
username.
I agree entirely, except I think, for longer usernames at least, it
should not *contain* their username. But that sorta gets stuffed up
when people have like [[User:A]]. :-\
If we can get consensus to do it we could run a password cracker on
all the hashes of the sysops passwords.. desysop the inactive ones
with weak passwords, and quietly email the active ones with weak
passwords and tell them to pick better ones.
Ultimately it would be nice if we had a password strength checker ...
but doing this would address the immediate need.
I second this. The bad guys are already running password crackers. (And if they aren't
already, these incidents guarantee someone will.) Let's beat'em to the punch.
Better that we learn from this while the damage is limited. There is no downside to
requiring stronger passwords; fortunately for us, this is common sense which is
legislate-able.
--
Gwern
Inquiring minds want to know.