On 0, Gregory Maxwell gmaxwell@gmail.com scribbled:
On 5/7/07, Mark Ryan ultrablue@gmail.com wrote:
On 07/05/07, Blu Aardvark jeffrey.latham@gmail.com wrote:
In addition, it should be entirely disallowed for a user to create a password containing the string "password" or that is identical to their username.
I agree entirely, except I think, for longer usernames at least, it should not *contain* their username. But that sorta gets stuffed up when people have like [[User:A]]. :-\
If we can get consensus to do it we could run a password cracker on all the hashes of the sysops passwords.. desysop the inactive ones with weak passwords, and quietly email the active ones with weak passwords and tell them to pick better ones.
Ultimately it would be nice if we had a password strength checker ... but doing this would address the immediate need.
I second this. The bad guys are already running password crackers. (And if they aren't already, these incidents guarantee someone will.) Let's beat'em to the punch.
Better that we learn from this while the damage is limited. There is no downside to requiring stronger passwords; fortunately for us, this is common sense which is legislate-able.
-- Gwern Inquiring minds want to know.