On Tue, Feb 4, 2014 at 11:59 PM, Martijn Hoekstra <martijnhoekstra(a)gmail.com
wrote:
I think Steven meant upping the requirements for new
accounts only. In that
way nothing gets broken immediately. I'm still not absolutely convinced
this is more useful than a hindrance if we clearly inform the user about
password strength when they set them (see my earlier post about "this
password can be brute forced in x"). If users are then not deterred from
setting their password to "wiki", apparently they didn't care, as we told
them how easy it is to brute force.
We do not mean for new accounts only. We mean for all accounts.
If Steven did mean something that will lock people out of their account on
upgrades, then I don't think that's a good idea at all.
We will not lock people who are using their accounts out. The RFC
explicitly mentions two things which will help us having people avoid being
locked out of their account:
1. Being extremely loud about announcing the change. We have used
cluster-wide banners for this kind of purpose before.
2. As described in the RFC, there is a patch undergoing review which will
make it possible to force a reset *after* the user logs in again.
In any case, this RFC is about the MediaWiki default. If we want to set the
MediaWiki default in core but wait to update Wikimedia sites until we are
sure we won't lock a bunch of active users out of their accounts we can do
that. We should separate out the rollout strategy from whether we think
that a minimum password length is a good default in MediaWiki.