Chris Steipp wrote:
Totally agree, and I added a first pass for it at https://www.mediawiki.org/wiki/Requests_for_comment/Passwords#Threats
Thanks for this. I think it's a good start. I think it's reasonable to say that you've established that there are threats. In my opinion, now it's a matter of demonstrating that any counter-measures proposed will directly mitigate those threats. And it's also a matter of demonstrating that the threats are substantial (dangerous) enough to warrant a response. There are nearly a limitless number of threats in life, so figuring out how much energy to invest in securing free and unprivileged accounts versus administrator or steward accounts is important.
Just to give a better understanding, for the English Wikipedia as of about Wed Feb 12 03:44:04 UTC 2014:
MariaDB [enwiki_p]> select user_editcount, count(user_id) from user group by user_editcount order by user_editcount asc limit 11; +----------------+----------------+ | user_editcount | count(user_id) | +----------------+----------------+ | 0 | 13814964 | | 1 | 2406240 | | 2 | 1151354 | | 3 | 664263 | | 4 | 436915 | | 5 | 309483 | | 6 | 231616 | | 7 | 178952 | | 8 | 143525 | | 9 | 116164 | | 10 | 96053 | +----------------+----------------+ 11 rows in set (38.93 sec)
Pastebin: http://p.defau.lt/?4QMxue_aRSm1eK9CEK_wDw
There are approximately 20,740,377 user accounts total, so roughly 66.61% of accounts have zero edits and roughly 94.26% of accounts have ten or fewer edits on the English Wikipedia. A few thousand of these users are likely involved in substantial work on other wikis, but that's probably a nearly insignificant percentage. The convenience versus security trade-off is still a serious consideration, in my opinion.
MZMcBride