Let's say they are nearly valueless for most of attackers.
Generally speaking I think we should strongly encourage security without imposing it. A "strenght meter", some email reminder and a minimum of six chars for new passwords would be, imho, non-invasive good measures.
Vito
Inviato con AquaMail per Android http://www.aqua-mail.com
Il 05 febbraio 2014 08:59:24 Tyler Romeo tylerromeo@gmail.com ha scritto:
On Wed, Feb 5, 2014 at 2:20 AM, MZMcBride z@mzmcbride.com wrote:
Ultimately, account security is a user's prerogative. [...] Banks and even e-mail providers have reason to implement stricter authentication requirements.
This is conflicting logic. If it is the user's job to enforce their own account security, what reason would banks or email providers have to require long passwords? If somebody guesses a user's password and empties their bank account, the bank could care less, since it is the customer's fault for not making sure their password is long enough.
Rather account security, and security in general, is a combination of both administrative oversight and user awareness. It is the system administrators' responsibility to try and make up for the fact that users are not security experts, and thus cannot be expected to take every possible measure to ensure the safety of their account. Accordingly it is our responsibility to set a password policy that ensures that users will not do something stupid, as all users are inclined to do.
Of course, it is still valid that a Wikimedia wiki account is "nearly valueless". However, that is probably more of a personal opinion than it is a fact. I'm sure a very heavy Wikipedia editor, who uses his/her account to make hundreds of edits a month but isn't necessarily an administrator or other higher-level user, sees their account as something more than a throwaway that can be replaced in an instant. Sure there is nothing of monetary value in the account, and no confidential information would be leaked should the account become compromised, but at the same time it has a personal value.
For example, MZMcBride, what if your password is "wiki", and somebody compromises your account, and changes your password and email. You don't have a committed identity, so your account is now unrecoverable. You now have to sign up for Wikipedia again, using the username "MZMcBride2". Of course, all your previous edits are still accredited to your previous account, and there's no way we can confirm you are the real MZMcBride, but at least you can continue to edit Wikipedia... Obviously you are not the best example, since I'm sure you have ways of confirming your identity to the Wikimedia Foundation, but not everybody is like that. You could argue that if you consider your Wikipedia account to have that much value, you'd put in the effort to make sure it is secure. To that I say see the above paragraph.
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l