Hi.
Tyler Romeo wrote:
On Wed, Feb 5, 2014 at 2:20 AM, MZMcBride z@mzmcbride.com wrote:
Ultimately, account security is a user's prerogative. [...] Banks and even e-mail providers have reason to implement stricter authentication requirements.
This is conflicting logic. If it is the user's job to enforce their own account security, what reason would banks or email providers have to require long passwords?
I'm not sure the logic is conflicting. I tried to separate individual thoughts into individual paragraphs. The common thread of my message was that I haven't yet seen enough evidence that the cost here is worth the benefit. The benefits to securing valueless accounts remains unclear, while the implementation cost is non-negligible.
E-mail accounts are often used in identity verification processes and banks are banks. While you and I may disagree with their password policies, there's at least a reasonable explanation for implementing more stringent requirements in these two cases. Compare with MediaWiki user accounts. What's the argument here? Why is this worth any effort?
I personally regularly use single-character passwords on test MediaWiki wikis (and other sites) because, as a user, it's my right to determine what value to place in a particular account.
If one day MediaWiki wikis (or Wikimedia wikis, really) allow per-user e-mail (i.e., mzmcbride@wikipedia.org) or if there comes a time when identity verification becomes part of the discussion (compare with Twitter's blue checkmark verified account practice), then it may make sense to require (l|str)onger passwords in those specific cases. Even today, if you want to make Jimmy or members of the Wikimedia Foundation staff have crazy-long passwords, that may be reasonable or prudent or what-have-you, but that doesn't mean MediaWiki core should go along.
If somebody guesses a user's password and empties their bank account, the bank could care less, since it is the customer's fault for not making sure their password is long enough.
I'm not sure this is true, but it's too off-topic to discuss here. A thread about global banking laws and practices, particularly with regard to liability and insurance and criminal activity, would certainly be interesting to read, though. :-)
I'm sure a very heavy Wikipedia editor, who uses his/her account to make hundreds of edits a month but isn't necessarily an administrator or other higher-level user, sees their account as something more than a throwaway that can be replaced in an instant.
I absolutely agree with you on this point. And I think we can encourage stronger passwords, even on the login form if you'd like. Rather than only using user groups, we could also use edit count or edit registration date or any number of other metrics. The catch, of course, is (a) finding developer consensus on a reasonable implementation of a password strength meter and (b) finding local community consensus to make changes on a per-variable basis.
For example, MZMcBride, what if your password is "wiki", and somebody compromises your account, and changes your password and email. You don't have a committed identity, so your account is now unrecoverable.
For what it's worth, I think I have one or two committed identities buried in my user page history on the English Wikipedia. In any case, as you note, it's mostly a moot point with me.
Finally, while not always the best precedent, it seems fair to look at the history here. As I recall (I'm relying on Cunningham's Law a little bit here ;-) UseModWiki and other early wiki engines allowed anonymous editing and even the ability to specify only a username when making an edit. MediaWiki itself used to allow completely blank passwords and people who are still active today used to have zero-length passwords. If history is any guide here, the idea that standard wiki accounts, and even online identity, is not particularly valuable is not new in the wiki world. Perhaps it's no longer the case today, but there was (and hopefully is) a noble goal to encourage a strong focus primarily on the content rather than the contributor. A lofty goal, indeed.
MZMcBride