Chris Steipp wrote:
- As I understand it, the reason we went from 0 to 1 character required
is spammers were actively trying to find accounts with no password so they could edit with an autoconfirmed account.
Err, citation needed. :-)
I'd forgotten that I'd filed https://bugzilla.wikimedia.org/18222 (related to MediaWiki core rather than Wikimedia). I thought the change from 0 to 1 for this variable generally was due to integration issues with other authentication systems, but I have no idea why I think this. I looked at an older version of Wikimedia's InitialiseSettings.php and found only the accompanying code comment "enforce prohibition of blank passwords" (the $wgMinimalPasswordLength variable was presumably subsequently removed when someone noticed that its value matched the software default value). I didn't see any relevant entries in the Wikimedia server admin log in my brief search.
Arguing to increase minimal password length as an anti-spam measure is reasonable provided that there's an actual (i.e., demonstrable) issue that needs to be addressed and that there's good reason to believe that this particular measure will mitigate that issue. However, if there isn't evidence to suggest that this is an effective anti-spam approach, a needless increase in the default value of this variable has the taste of security theater.
- We do have a duty to protect our user's accounts with a reasonable
amount of effort/cost proportional to the weight we put on those identities. I think we would be in a very difficult spot if the foundation tried to take legal action against someone for the actions they took with their user account, and the user said, "That wasn't me, my account probably got hacked. And it's not my fault, because I did the minimum you asked me."
With respect, I think this is an unfair argument to make. It strikes me as a rough appeal to authority (legal consequences) without any kind of reference or substantiation. If you think that the setting of $wgMinimalPasswordLength in MediaWiki core or on Wikimedia wikis is a legal issue, you should consult with the Wikimedia Foundation legal team. I don't think it's fair to use legal theories and speculation as a basis for changing software settings. The fact that most users can edit while logged out ("anonymously") also seems to poke large holes in this idea.
Whether it's 4 or 6 characters for us I think is debatable, but I think 1 is not reasonable.
Minimal password length has been configurable since January 2005 (cf. https://www.mediawiki.org/wiki/Special:Code/MediaWiki/48968) and no Wikimedia wiki community has asked for it to be increased in all these years, as far as I'm aware (I looked around Bugzilla). I think most users feel that account maintenance is a personal responsibility issue. As discussed at https://bugzilla.wikimedia.org/25925 it's a matter of convenience versus security.
If you want to set the value of $wgMinimalPasswordLength higher for officewiki or other private Wikimedia wikis, that's obviously (at least partially) your prerogative. But for MediaWiki core and for standard Wikimedia wikis, I'd like there to be a decent rationale before we consider inconveniencing users.
MZMcBride
P.S. I also casually wonder whether there's a reasonable argument to be made here that requiring longer passwords will hurt editor retention more than it helps, but this thought is still largely unformed and unfocused.