On Feb 5, 2014 8:21 AM, "MZMcBride" z@mzmcbride.com wrote:
Steven Walling wrote:
I fully agree, and this is why the RFC is very clear that the *only immediate change proposed* is an increase in required minimum length from one character to six. It does not suggest that we require more complex character types, such as mixed upper/lower case, numbers, symbols and so on. Just increasing the length, and hopefully suggesting to users how to pick a strong password, is plenty for MediaWiki defaults.
General consensus (on this mailing list and at the RFC) seems to be that we can certainly encourage stronger passwords, but we should not require stronger passwords for standard accounts. Accounts with escalated privileges (admin, checkuser, etc.) should likely be treated differently.
Ultimately, account security is a user's prerogative. If a user wants to use "wiki" as his or her password, we can say that's not a great idea, but I don't see why we would outright ban it. Similarly, more complex passwords lead to people using a sticky note or similarly poor practices.
Wikimedia wiki accounts are nearly valueless. Banks and even e-mail providers have reason to implement stricter authentication requirements. Meanwhile on Wikimedia wikis, there's very little incentive to log in. What's the purpose of securing such standard accounts? This has an associated cost. What's the benefit?
Perhaps there are better arguments for why we should lock an unknown number of users out of their accounts every time someone upgrades MediaWiki, but currently the pros column seems a lot weaker than the cons column for implementing this change to $wgMinimalPasswordLength.
MZMcBride
I think Steven meant upping the requirements for new accounts only. In that way nothing gets broken immediately. I'm still not absolutely convinced this is more useful than a hindrance if we clearly inform the user about password strength when they set them (see my earlier post about "this password can be brute forced in x"). If users are then not deterred from setting their password to "wiki", apparently they didn't care, as we told them how easy it is to brute force.
If Steven did mean something that will lock people out of their account on upgrades, then I don't think that's a good idea at all.
Martijn.
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l