On Feb 5, 2014 8:21 AM, "MZMcBride" <z(a)mzmcbride.com> wrote:
Steven Walling wrote:
I fully agree, and this is why the RFC is very
clear that the *only
immediate change proposed* is an increase in required minimum length from
one character to six. It does not suggest that we require more complex
character types, such as mixed upper/lower case, numbers, symbols and so
on. Just increasing the length, and hopefully suggesting to users how to
pick a strong password, is plenty for MediaWiki defaults.
General consensus (on this mailing list and at the RFC) seems to be that
we can certainly encourage stronger passwords, but we should not require
stronger passwords for standard accounts. Accounts with escalated
privileges (admin, checkuser, etc.) should likely be treated differently.
Ultimately, account security is a user's prerogative. If a user wants to
use "wiki" as his or her password, we can say that's not a great idea, but
I don't see why we would outright ban it. Similarly, more complex
passwords lead to people using a sticky note or similarly poor practices.
Wikimedia wiki accounts are nearly valueless. Banks and even e-mail
providers have reason to implement stricter authentication requirements.
Meanwhile on Wikimedia wikis, there's very little incentive to log in.
What's the purpose of securing such standard accounts? This has an
associated cost. What's the benefit?
Perhaps there are better arguments for why we should lock an unknown
number of users out of their accounts every time someone upgrades
MediaWiki, but currently the pros column seems a lot weaker than the cons
column for implementing this change to $wgMinimalPasswordLength.
MZMcBride
I think Steven meant upping the requirements for new accounts only. In that
way nothing gets broken immediately. I'm still not absolutely convinced
this is more useful than a hindrance if we clearly inform the user about
password strength when they set them (see my earlier post about "this
password can be brute forced in x"). If users are then not deterred from
setting their password to "wiki", apparently they didn't care, as we told
them how easy it is to brute force.
If Steven did mean something that will lock people out of their account on
upgrades, then I don't think that's a good idea at all.
Martijn.
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l