On Thu, Feb 6, 2014 at 9:58 AM, Chris Steipp csteipp@wikimedia.org wrote:
- As I understand it, the reason we went from 0 to 1 character required is
spammers were actively trying to find accounts with no password so they could edit with an autoconfirmed account. We rely on "number of combinations of minimum passwords" to be greater than "number of tries before an IP must also solve captcha to login" to mitigate some of this, but I think there are straightforward ways for a spammer to get accounts with our current setup. And I think increasing the minimum password length is one component.
- We do have a duty to protect our user's accounts with a reasonable
amount of effort/cost proportional to the weight we put on those identities. I think we would be in a very difficult spot if the foundation tried to take legal action against someone for the actions they took with their user account, and the user said, "That wasn't me, my account probably got hacked. And it's not my fault, because I did the minimum you asked me." So I think we at least want to be roughly in line with "industry standard", or have a calculated tradeoff against that, which is roughly 6-8 character passwords with no complexity requirements. I personally think the foundation and community _does_ put quite a lot of weight into user's identities (most disputes and voting processes that I've seen have some component that assume edits by an account were done by a single person), so I think we do have a responsibility to set the bar at a level appropriate to that, assuming that all users will do the minimum that we ask. Whether it's 4 or 6 characters for us I think is debatable, but I think 1 is not reasonable.
1) Merely increasing the length could increase required keystrokes without making it more secure. A couple comments from the meetinghttps://www.mediawiki.org/wiki/Architecture_meetings/RFC_review_2014-02-05#Full_log : <brion> "aaaaaaaaaaaaaaaaaaaaaaaa" ain't secure <TimStarling> "password" isn't secure either, and that's 8
It seems to me that a pretty secure approach would be to have the system give the user his 8-12 character password, rather than letting him pick a password. Then we can be assured that he's not doing stuff like "p@ssword" to meet the complexity requirements.
2) How plausible is this scenario you mention, involving legal action? Has/would the WMF ever take/taken legal action against someone for actions taken with their user account? Why would that happen, when any damage done by a non-checkuser can generally be reverted/deleted/etc.? What would be the remedy; trying to get money out of the person? It probably wouldn't amount to much.