If feel like I should reiterate why I proposed this change. Maybe no one
cares, but I think it might help convince folks this is NOT an argument for
"let's reduce user freedom in the name of security."
I didn't worked on the RFC because I love tinkering with password security
in my spare time and know lots about it. Far from it. I did it because I
think we're failing MediaWiki users on *all installations* by inviting them
to sign up for an account, and then failing to set default requirements
that help them adequately secure those accounts. Users tend to follow
defaults and do the minimum effort to reach their goals -- in this case to
sign up and then get editing. It's our job as the MediaWiki designers and
developers to set good defaults that encourage account security without
being excessively annoying.
In addition to just being sane about security defaults, there is more.
Allow me to wax poetic a moment... If you can edit anonymously, why do we
allow and encourage registration at all? Many reasons of course, but one of
them is because it is a rewarding experience to have a persistent identity
on a wiki. We all know how real that identity becomes sometimes. When I
meet Krinkle or MZMcbride in real life, I don't call them Timo and Max. Or
if I do, I don't think of them as those names in my head.
When wiki users start an account, they might think that they are just
creating something unimportant. They may actually have bad intentions. But
part of this is that we're offering people an account because it gives them
a chance to be recognized, implicitly and explicitly, for the work they do
on our wikis.
I think setting a default of 1 character passwords required doesn't
reinforce the idea that an account is something you might actually come to
cherish a bit, and that it might even represent you in some important way
to others. By signaling to new users that an account is so worthless that
it's cool if you have a one character password... well, is that really such
a good thing?
On Thu, Feb 6, 2014 at 5:44 PM, MZMcBride <z(a)mzmcbride.com> wrote:
P.S. I also casually wonder whether there's a
reasonable argument to be
made here that requiring longer passwords will hurt editor retention more
than it helps, but this thought is still largely unformed and unfocused.
I think that's a canard. There are many many sites that do not have user
acquisition or retention problems, while also having sane password length
requirements. Yes, this is a potential extra roadblock, which may slightly
reduce conversion rates on the signup form by slowing people down. However,
one of the clear arguments in favor of doing this now (as opposed to say,
back in 2001) is that users will largely expect an account on a popular
website to require them to have a password longer than 1 character.
If we really are scared about the requirements in our signup form driving
people away from editing, we can make many user experience improvements
that would, like every other site, offset the terrible awful horrible evil
of requiring a six character password. I'd be happy to list specifics if
someone wants, but this email is already too long.
Steven