hi steven, thanks for this proposal. what i trap into consistently since years is not beeing logged in, when i want to. i'd really appreaciate if this is shown clearly, on all wiki's. i never can remember which ones indicate it and which ones not. mediawiki.org indicates it, btw ... and i was trying to comment there not logged in :) for the password policy: display a strength indicator is great. anything more? i would say just leave it to the user. rupert. On Fri, Jan 24, 2014 at 8:50 PM, Steven Walling <steven.walling(a)gmail.com>wrote;wrote:

On Sat, Jan 25, 2014 at 10:25 AM, Isarra Yos <zhorishna(a)gmail.com> wrote: We should probably have this discussion on the RFC comments. The trade-off between security and user freedom is already brought up there, and there are some clarifying comments that are relevant. Namely, that the RFC is about the MediaWiki default. If a given MediWiki install wants to change the default, they can like all config settings.

On Sun, Jan 26, 2014 at 9:49 AM, Gryllida <gryllida(a)fastmail.fm> wrote: I once saw a "can be brute forced on commodity hardware in x" field instead of an abstract "strength" field - but phrased less techy. I liked that.

A three/four colour lamp + "it might be forced in approx X days" sounds great! Vito Inviato con AquaMail per Android http://www.aqua-mail.com Il 04 febbraio 2014 10:19:12 Martijn Hoekstra <martijnhoekstra(a)gmail.com> ha scritto:

hacking into password manager might be easier than hacking into a human brain :P On Tue, Feb 4, 2014 at 11:03 AM, Željko Filipin <zfilipin(a)wikimedia.org> wrote:

On Tuesday, February 4, 2014, Petr Bena <benapetr(a)gmail.com> wrote: I fully agree. This is why the RFC explicitly

Steven Walling wrote: General consensus (on this mailing list and at the RFC) seems to be that we can certainly encourage stronger passwords, but we should not require stronger passwords for standard accounts. Accounts with escalated privileges (admin, checkuser, etc.) should likely be treated differently. Ultimately, account security is a user's prerogative. If a user wants to use "wiki" as his or her password, we can say that's not a great idea, but I don't see why we would outright ban it. Similarly, more complex passwords lead to people using a sticky note or similarly poor practices. Wikimedia wiki accounts are nearly valueless. Banks and even e-mail providers have reason to implement stricter authentication requirements. Meanwhile on Wikimedia wikis, there's very little incentive to log in. What's the purpose of securing such standard accounts? This has an associated cost. What's the benefit? Perhaps there are better arguments for why we should lock an unknown number of users out of their accounts every time someone upgrades MediaWiki, but currently the pros column seems a lot weaker than the cons column for implementing this change to $wgMinimalPasswordLength. MZMcBride

On Feb 5, 2014 8:21 AM, "MZMcBride" <z(a)mzmcbride.com> wrote: I think Steven meant upping the requirements for new accounts only. In that way nothing gets broken immediately. I'm still not absolutely convinced this is more useful than a hindrance if we clearly inform the user about password strength when they set them (see my earlier post about "this password can be brute forced in x"). If users are then not deterred from setting their password to "wiki", apparently they didn't care, as we told them how easy it is to brute force. If Steven did mean something that will lock people out of their account on upgrades, then I don't think that's a good idea at all. Martijn.

On Wed, Feb 5, 2014 at 2:58 AM, Tyler Romeo <tylerromeo(a)gmail.com> wrote: What if all of the email addresses that a user has ever used were to be stored permanently? Then in the event of an account hijacking, he could say to WMF, "As your data will confirm, the original email address for user Foo was foo(a)example.com, and I am emailing you from that account, so either my email account got compromised, or I am the person who first set an email address for user Foo." The email services have their own procedures for sorting out situations in which people claim their email accounts were hijacked.

I feel as though this idea does not meet my need for privacy. I can guess that at least a portion of the community would agree. Thank you, Derric Atzrott

On Tue, Feb 4, 2014 at 11:20 PM, MZMcBride <z(a)mzmcbride.com> wrote: That does not seem to be the consensus to me. I see several people with expertise in this area (Chris Steipp, Ryan Lane, others) recommending that this is the least we should do. I think we should leave determining consensus up to the people who will close the RFC.

Hi. Tyler Romeo wrote: I'm not sure the logic is conflicting. I tried to separate individual thoughts into individual paragraphs. The common thread of my message was that I haven't yet seen enough evidence that the cost here is worth the benefit. The benefits to securing valueless accounts remains unclear, while the implementation cost is non-negligible. E-mail accounts are often used in identity verification processes and banks are banks. While you and I may disagree with their password policies, there's at least a reasonable explanation for implementing more stringent requirements in these two cases. Compare with MediaWiki user accounts. What's the argument here? Why is this worth any effort? I personally regularly use single-character passwords on test MediaWiki wikis (and other sites) because, as a user, it's my right to determine what value to place in a particular account. If one day MediaWiki wikis (or Wikimedia wikis, really) allow per-user e-mail (i.e., mzmcbride(a)wikipedia.org) or if there comes a time when identity verification becomes part of the discussion (compare with Twitter's blue checkmark verified account practice), then it may make sense to require (l|str)onger passwords in those specific cases. Even today, if you want to make Jimmy or members of the Wikimedia Foundation staff have crazy-long passwords, that may be reasonable or prudent or what-have-you, but that doesn't mean MediaWiki core should go along. I'm not sure this is true, but it's too off-topic to discuss here. A thread about global banking laws and practices, particularly with regard to liability and insurance and criminal activity, would certainly be interesting to read, though. :-) I absolutely agree with you on this point. And I think we can encourage stronger passwords, even on the login form if you'd like. Rather than only using user groups, we could also use edit count or edit registration date or any number of other metrics. The catch, of course, is (a) finding developer consensus on a reasonable implementation of a password strength meter and (b) finding local community consensus to make changes on a per-variable basis. For what it's worth, I think I have one or two committed identities buried in my user page history on the English Wikipedia. In any case, as you note, it's mostly a moot point with me. Finally, while not always the best precedent, it seems fair to look at the history here. As I recall (I'm relying on Cunningham's Law a little bit here ;-) UseModWiki and other early wiki engines allowed anonymous editing and even the ability to specify only a username when making an edit. MediaWiki itself used to allow completely blank passwords and people who are still active today used to have zero-length passwords. If history is any guide here, the idea that standard wiki accounts, and even online identity, is not particularly valuable is not new in the wiki world. Perhaps it's no longer the case today, but there was (and hopefully is) a noble goal to encourage a strong focus primarily on the content rather than the contributor. A lofty goal, indeed. MZMcBride

On Thu, Feb 6, 2014 at 9:58 AM, Chris Steipp &lt;csteipp(a)wikimedia.org&gt; wrote: 1) Merely increasing the length could increase required keystrokes without making it more secure. A couple comments from the meeting<https://www.mediawiki.org/wiki/Architecture_meetings/RFC_review_… : <brion> "aaaaaaaaaaaaaaaaaaaaaaaa" ain't secure <TimStarling> "password" isn't secure either, and that's 8 It seems to me that a pretty secure approach would be to have the system give the user his 8-12 character password, rather than letting him pick a password. Then we can be assured that he's not doing stuff like "p@ssword" to meet the complexity requirements. 2) How plausible is this scenario you mention, involving legal action? Has/would the WMF ever take/taken legal action against someone for actions taken with their user account? Why would that happen, when any damage done by a non-checkuser can generally be reverted/deleted/etc.? What would be the remedy; trying to get money out of the person? It probably wouldn't amount to much.

On Thu, Feb 6, 2014 at 3:26 PM, Brian Wolff &lt;bawolff(a)gmail.com&gt; wrote: Actually, I think it might be better if we just have people come on down to the San Francisco office and show their government ID. Then we have Tim or Brion log them in personally. ;) *-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science

On Thu, Feb 6, 2014 at 4:54 PM, Derric Atzrott &lt;datzrott(a)alizeepathology.com You mean kind of like this? https://www.mediawiki.org/wiki/Extension:SSLClientAuthentication *-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science

If feel like I should reiterate why I proposed this change. Maybe no one cares, but I think it might help convince folks this is NOT an argument for "let's reduce user freedom in the name of security." I didn't worked on the RFC because I love tinkering with password security in my spare time and know lots about it. Far from it. I did it because I think we're failing MediaWiki users on *all installations* by inviting them to sign up for an account, and then failing to set default requirements that help them adequately secure those accounts. Users tend to follow defaults and do the minimum effort to reach their goals -- in this case to sign up and then get editing. It's our job as the MediaWiki designers and developers to set good defaults that encourage account security without being excessively annoying. In addition to just being sane about security defaults, there is more. Allow me to wax poetic a moment... If you can edit anonymously, why do we allow and encourage registration at all? Many reasons of course, but one of them is because it is a rewarding experience to have a persistent identity on a wiki. We all know how real that identity becomes sometimes. When I meet Krinkle or MZMcbride in real life, I don't call them Timo and Max. Or if I do, I don't think of them as those names in my head. When wiki users start an account, they might think that they are just creating something unimportant. They may actually have bad intentions. But part of this is that we're offering people an account because it gives them a chance to be recognized, implicitly and explicitly, for the work they do on our wikis. I think setting a default of 1 character passwords required doesn't reinforce the idea that an account is something you might actually come to cherish a bit, and that it might even represent you in some important way to others. By signaling to new users that an account is so worthless that it's cool if you have a one character password... well, is that really such a good thing? On Thu, Feb 6, 2014 at 5:44 PM, MZMcBride &lt;z(a)mzmcbride.com&gt; wrote: I think that's a canard. There are many many sites that do not have user acquisition or retention problems, while also having sane password length requirements. Yes, this is a potential extra roadblock, which may slightly reduce conversion rates on the signup form by slowing people down. However, one of the clear arguments in favor of doing this now (as opposed to say, back in 2001) is that users will largely expect an account on a popular website to require them to have a password longer than 1 character. If we really are scared about the requirements in our signup form driving people away from editing, we can make many user experience improvements that would, like every other site, offset the terrible awful horrible evil of requiring a six character password. I'd be happy to list specifics if someone wants, but this email is already too long. Steven

Nathan Larson &lt;nathanlarson3141(a)gmail.com&gt; wrote: Cf. http://blog.wikimedia.org/2013/11/19/wikimedia-foundation-sends-cease-and-d…. Tim

On Sat, Feb 8, 2014 at 8:14 AM, Brian Wolff &lt;bawolff(a)gmail.com&gt; wrote: Totally agree, and I added a first pass for it at https://www.mediawiki.org/wiki/Requests_for_comment/Passwords#Threats

On Tue, Feb 4, 2014 at 1:33 AM, Petr Bena &lt;benapetr(a)gmail.com&gt; wrote: I think that issue has been solved quite a while ago, you don't remember passwords, you keep them in password stores. you may have a master password to remember but you don't have the same on all services and you don't remember the individual ones, you copy/paste, so i don't care at all how long it is -- Daniel Zahn &lt;dzahn(a)wikimedia.org&gt; Operations Engineer