I'm not sure that I agree with that assessment *of password strength testing tools* (not humans), for a couple of reasons.
0. Weak passwords are a huge problem, and may be closely related to the weakness that the attackers are currently using to compromise Wikimedia accounts. As far as I know, Wikimedia currently has no internal way to deal with that problem. We *should* have a way to deal with that problem, but it seems to me that using a tool that I recommended is the lesser of two evils at the moment. In the long run, it would be much better if Wikimedia had an internal tool to validate the strength of users' passwords and block passwords that fall below a certain strength level.
1. If you don't trust that strength testing site (which is fine), choose another. I did a couple of quick checks on that site; while it's entirely possible that I missed something, it appeared to me that the site was not sending passwords over the Internet, whether in the clear or encrypted. The use of HTTP or HTTPS is irrelevant if the data isn't getting sent out in the first place.
Do you have a better solution in mind to deal with the immediate problem of weak passwords, besides 2FA which is not available to everyone?
Pine
On Thu, Nov 17, 2016 at 12:08 AM, Antoine Musso hashar+wmf@free.fr wrote:
Le 16/11/2016 à 19:19, Pine W a écrit :
(0) Consider testing your password strength with a tool like http://www.testyourpassword.com/; be sure that the tool you use does not send your chosen password over the Internet and instead tests it locally.
By using an online testing tool, you are effectively breaking the very first rule:
DO NOT GIVE OUT YOUR PASSWORD. EVER.
Using that site is exactly like sharing your password with a random stranger in the world. Even if you trusted that website, and audited the code at a given point in time, you have no guarantee the site hasn't changed or that it is not collecting passwords.
-- Antoine "hashar" Musso
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
wikimedia-l@lists.wikimedia.org