On 2/7/14, Steven Walling steven.walling@gmail.com wrote:
If feel like I should reiterate why I proposed this change. Maybe no one cares, but I think it might help convince folks this is NOT an argument for "let's reduce user freedom in the name of security."
I didn't worked on the RFC because I love tinkering with password security in my spare time and know lots about it. Far from it. I did it because I think we're failing MediaWiki users on *all installations* by inviting them to sign up for an account, and then failing to set default requirements that help them adequately secure those accounts. Users tend to follow defaults and do the minimum effort to reach their goals -- in this case to sign up and then get editing. It's our job as the MediaWiki designers and developers to set good defaults that encourage account security without being excessively annoying.
In addition to just being sane about security defaults, there is more. Allow me to wax poetic a moment... If you can edit anonymously, why do we allow and encourage registration at all? Many reasons of course, but one of them is because it is a rewarding experience to have a persistent identity on a wiki. We all know how real that identity becomes sometimes. When I meet Krinkle or MZMcbride in real life, I don't call them Timo and Max. Or if I do, I don't think of them as those names in my head.
When wiki users start an account, they might think that they are just creating something unimportant. They may actually have bad intentions. But part of this is that we're offering people an account because it gives them a chance to be recognized, implicitly and explicitly, for the work they do on our wikis.
I think setting a default of 1 character passwords required doesn't reinforce the idea that an account is something you might actually come to cherish a bit, and that it might even represent you in some important way to others. By signaling to new users that an account is so worthless that it's cool if you have a one character password... well, is that really such a good thing?
On Thu, Feb 6, 2014 at 5:44 PM, MZMcBride z@mzmcbride.com wrote:
P.S. I also casually wonder whether there's a reasonable argument to be made here that requiring longer passwords will hurt editor retention more than it helps, but this thought is still largely unformed and unfocused.
I think that's a canard. There are many many sites that do not have user acquisition or retention problems, while also having sane password length requirements. Yes, this is a potential extra roadblock, which may slightly reduce conversion rates on the signup form by slowing people down. However, one of the clear arguments in favor of doing this now (as opposed to say, back in 2001) is that users will largely expect an account on a popular website to require them to have a password longer than 1 character.
If we really are scared about the requirements in our signup form driving people away from editing, we can make many user experience improvements that would, like every other site, offset the terrible awful horrible evil of requiring a six character password. I'd be happy to list specifics if someone wants, but this email is already too long.
Steven _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Thanks for the background, I think its important to know the "why" for a change, not just a what. However it doesn't address what I see as the main concern being raised about this proposal - the lack of a threat model. Who is the enemy we're concerned about breaking into accounts? What is the enemy's resources? Anything done for security should be in reference to some sort of threat model. Otherwise we will probably end up implementing security that does not make sense, things that protect one aspect without protecting the important aspect, etc. Well most people think having distinct identities on wiki is important, what we need to protect them from is going to vary wildly from person to person. It wouldn't surprise me if the hard-core SoftSecurity people would argue for an honour system...
Users tend to follow defaults and do the minimum effort to reach their goals -- in this case to sign up and then get editing.
'password' is probably less secure than most one letter passwords.
--bawolff
p.s. I don't think stronger password requirements will have much of an affect on user retention assuming the requirements aren't insane (e.g. Don't require a password min 9 max 13 characters long with exactly 7 symbols and no more than 2 numbers)