On Tue, Feb 4, 2014 at 11:59 PM, Martijn Hoekstra <martijnhoekstra@gmail.com
wrote:
I think Steven meant upping the requirements for new accounts only. In that way nothing gets broken immediately. I'm still not absolutely convinced this is more useful than a hindrance if we clearly inform the user about password strength when they set them (see my earlier post about "this password can be brute forced in x"). If users are then not deterred from setting their password to "wiki", apparently they didn't care, as we told them how easy it is to brute force.
We do not mean for new accounts only. We mean for all accounts.
If Steven did mean something that will lock people out of their account on upgrades, then I don't think that's a good idea at all.
We will not lock people who are using their accounts out. The RFC explicitly mentions two things which will help us having people avoid being locked out of their account:
1. Being extremely loud about announcing the change. We have used cluster-wide banners for this kind of purpose before. 2. As described in the RFC, there is a patch undergoing review which will make it possible to force a reset *after* the user logs in again.
In any case, this RFC is about the MediaWiki default. If we want to set the MediaWiki default in core but wait to update Wikimedia sites until we are sure we won't lock a bunch of active users out of their accounts we can do that. We should separate out the rollout strategy from whether we think that a minimum password length is a good default in MediaWiki.