Chris Steipp wrote:
1) As I understand it, the reason we went from 0 to 1
character required
is spammers were actively trying to find accounts with no password so they
could edit with an autoconfirmed account.
Err, citation needed. :-)
I'd forgotten that I'd filed <https://bugzilla.wikimedia.org/18222>
(related to MediaWiki core rather than Wikimedia). I thought the change
from 0 to 1 for this variable generally was due to integration issues with
other authentication systems, but I have no idea why I think this. I
looked at an older version of Wikimedia's InitialiseSettings.php and found
only the accompanying code comment "enforce prohibition of blank
passwords" (the $wgMinimalPasswordLength variable was presumably
subsequently removed when someone noticed that its value matched the
software default value). I didn't see any relevant entries in the
Wikimedia server admin log in my brief search.
Arguing to increase minimal password length as an anti-spam measure is
reasonable provided that there's an actual (i.e., demonstrable) issue that
needs to be addressed and that there's good reason to believe that this
particular measure will mitigate that issue. However, if there isn't
evidence to suggest that this is an effective anti-spam approach, a
needless increase in the default value of this variable has the taste of
security theater.
2) We do have a duty to protect our user's accounts
with a reasonable
amount of effort/cost proportional to the weight we put on those
identities. I think we would be in a very difficult spot if the foundation
tried to take legal action against someone for the actions they took with
their user account, and the user said, "That wasn't me, my account
probably got hacked. And it's not my fault, because I did the minimum you
asked me."
With respect, I think this is an unfair argument to make. It strikes me as
a rough appeal to authority (legal consequences) without any kind of
reference or substantiation. If you think that the setting of
$wgMinimalPasswordLength in MediaWiki core or on Wikimedia wikis is a
legal issue, you should consult with the Wikimedia Foundation legal team.
I don't think it's fair to use legal theories and speculation as a basis
for changing software settings. The fact that most users can edit while
logged out ("anonymously") also seems to poke large holes in this idea.
Whether it's 4 or 6 characters for us I think is
debatable, but I think 1
is not reasonable.
Minimal password length has been configurable since January 2005 (cf.
<https://www.mediawiki.org/wiki/Special:Code/MediaWiki/48968>) and no
Wikimedia wiki community has asked for it to be increased in all these
years, as far as I'm aware (I looked around Bugzilla). I think most users
feel that account maintenance is a personal responsibility issue. As
discussed at <https://bugzilla.wikimedia.org/25925> it's a matter of
convenience versus security.
If you want to set the value of $wgMinimalPasswordLength higher for
officewiki or other private Wikimedia wikis, that's obviously (at least
partially) your prerogative. But for MediaWiki core and for standard
Wikimedia wikis, I'd like there to be a decent rationale before we
consider inconveniencing users.
MZMcBride
P.S. I also casually wonder whether there's a reasonable argument to be
made here that requiring longer passwords will hurt editor retention more
than it helps, but this thought is still largely unformed and unfocused.