On Wed, Feb 5, 2014 at 8:00 PM, MZMcBride z@mzmcbride.com wrote:
Hi.
Tyler Romeo wrote:
On Wed, Feb 5, 2014 at 2:20 AM, MZMcBride z@mzmcbride.com wrote:
Ultimately, account security is a user's prerogative. [...] Banks and even e-mail providers have reason to implement stricter authentication requirements.
This is conflicting logic. If it is the user's job to enforce their own account security, what reason would banks or email providers have to require long passwords?
I'm not sure the logic is conflicting. I tried to separate individual thoughts into individual paragraphs. The common thread of my message was that I haven't yet seen enough evidence that the cost here is worth the benefit. The benefits to securing valueless accounts remains unclear, while the implementation cost is non-negligible.
E-mail accounts are often used in identity verification processes and banks are banks. While you and I may disagree with their password policies, there's at least a reasonable explanation for implementing more stringent requirements in these two cases. Compare with MediaWiki user accounts. What's the argument here? Why is this worth any effort?
I think there are a couple of reasons why we have a duty to enforce strong passwords. Let me try to convince you.
1) As I understand it, the reason we went from 0 to 1 character required is spammers were actively trying to find accounts with no password so they could edit with an autoconfirmed account. We rely on "number of combinations of minimum passwords" to be greater than "number of tries before an IP must also solve captcha to login" to mitigate some of this, but I think there are straightforward ways for a spammer to get accounts with our current setup. And I think increasing the minimum password length is one component.
2) We do have a duty to protect our user's accounts with a reasonable amount of effort/cost proportional to the weight we put on those identities. I think we would be in a very difficult spot if the foundation tried to take legal action against someone for the actions they took with their user account, and the user said, "That wasn't me, my account probably got hacked. And it's not my fault, because I did the minimum you asked me." So I think we at least want to be roughly in line with "industry standard", or have a calculated tradeoff against that, which is roughly 6-8 character passwords with no complexity requirements. I personally think the foundation and community _does_ put quite a lot of weight into user's identities (most disputes and voting processes that I've seen have some component that assume edits by an account were done by a single person), so I think we do have a responsibility to set the bar at a level appropriate to that, assuming that all users will do the minimum that we ask. Whether it's 4 or 6 characters for us I think is debatable, but I think 1 is not reasonable.
I personally regularly use single-character passwords on test MediaWiki wikis (and other sites) because, as a user, it's my right to determine what value to place in a particular account.
If one day MediaWiki wikis (or Wikimedia wikis, really) allow per-user e-mail (i.e., mzmcbride@wikipedia.org) or if there comes a time when identity verification becomes part of the discussion (compare with Twitter's blue checkmark verified account practice), then it may make sense to require (l|str)onger passwords in those specific cases. Even today, if you want to make Jimmy or members of the Wikimedia Foundation staff have crazy-long passwords, that may be reasonable or prudent or what-have-you, but that doesn't mean MediaWiki core should go along.
If somebody guesses a user's password and empties their bank account, the bank could care less, since it is the customer's fault for not making sure their password is long enough.
I'm not sure this is true, but it's too off-topic to discuss here. A thread about global banking laws and practices, particularly with regard to liability and insurance and criminal activity, would certainly be interesting to read, though. :-)
I'm sure a very heavy Wikipedia editor, who uses his/her account to make hundreds of edits a month but isn't necessarily an administrator or other higher-level user, sees their account as something more than a throwaway that can be replaced in an instant.
I absolutely agree with you on this point. And I think we can encourage stronger passwords, even on the login form if you'd like. Rather than only using user groups, we could also use edit count or edit registration date or any number of other metrics. The catch, of course, is (a) finding developer consensus on a reasonable implementation of a password strength meter and (b) finding local community consensus to make changes on a per-variable basis.
For example, MZMcBride, what if your password is "wiki", and somebody compromises your account, and changes your password and email. You don't have a committed identity, so your account is now unrecoverable.
For what it's worth, I think I have one or two committed identities buried in my user page history on the English Wikipedia. In any case, as you note, it's mostly a moot point with me.
Finally, while not always the best precedent, it seems fair to look at the history here. As I recall (I'm relying on Cunningham's Law a little bit here ;-) UseModWiki and other early wiki engines allowed anonymous editing and even the ability to specify only a username when making an edit. MediaWiki itself used to allow completely blank passwords and people who are still active today used to have zero-length passwords. If history is any guide here, the idea that standard wiki accounts, and even online identity, is not particularly valuable is not new in the wiki world. Perhaps it's no longer the case today, but there was (and hopefully is) a noble goal to encourage a strong focus primarily on the content rather than the contributor. A lofty goal, indeed.
MZMcBride
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l