[WikiEN-l] Please change your passwords.

[Kelly Martin]

On 5/7/07, Steve Summit <scs at eskimo.com> wrote:
> Well, I'm not so sure either works.  I'm one of the more
> security-conscious people I know, and I don't bother with strong
> passwords (let alone passphrases) when I register at ordinary
> websites -- the risk just isn't there.  If you tell me to pick
> a strong password I'll just laugh at you.

Indeed.  My password on all Wikimedia sites, except Commons and
enwiki, is the same and is the same as the stupid low-security
password that I use on a bazillion other websites.  Why?  Because none
of these sites matter, and going to the trouble of creating distinct
passwords for each is silly.  My Commons password (where I am an
admin) and my enwiki (where I used to be an admin) are different and
are chosen from my "moderate security" scheme.  Neither qualifies for
high security passwords; my highest security passwords are reserved
for things related to financial services (e.g. banks, credit cards,
brokerages, etc.) and for my work accounts.

Security is a tradeoff.  Nobody applies maximum security to
everything; you choose a level of security that provides a reasonable
compromise between complexity and risk.

That said, I think people should avoid using absurdly weak passwords
on websites -- "password" should be just plain out regardless of the
irrelevancy of the site in question, unless you really do not care at
all about being impersonated -- and people with elevated rights should
elevate their password complexity correspondingly.  In the Wikimedia
context, this would seem to me to be especially true for people who
are subject to the Foundation's identification requirements: if you
have access to protected information, your password should have an
appropriate level of complexity.

Kelly