https://bugzilla.wikimedia.org/show_bug.cgi?id=16435
--- Comment #6 from Thomas Bertels <[email protected]> 2009-05-05 09:00:35 UTC --- (In reply to comment #4) > (In reply to comment #3) > > Since there's a captcha after 3 attempts and a temporary lockout after 3 (or > > so) more attempts, I'm not sure if it's a good idea to enforce that much > > brute > > force or dictionary resistant passwords. > > Too strong passwords would be difficult for the users to remember. > > What about just letting the user know about his/her password strength ? > > > Yes, that'd be nice too. I know of several sites which have a password strengh > indicator beside the input which changes as you're typing from "empty" in grey > -> "weak" in red -> "OK" in yellow -> "strong" in green using AJAX. It could even be done by JavaScript only, by the way (unless we check against a dictionary). > > However, since the compromised accounts passwords were either the same as > > the > > login or just "password", those are basic rules to improve password strength > > (they are probably already active). > > > I'm not sure what you mean here... Are there already restrictions on using > "password" as the password, or using your username as the password? That good, > but we can do better. > I mean that we should just require passwords different from the username, and forbid passwords like "password" or so. Requiring very strong passwords (like letters + numbers) would be an unnecessary annoyance for the user. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
