https://bugzilla.wikimedia.org/show_bug.cgi?id=25925
--- Comment #19 from Matthew Flaschen <[email protected]> --- (In reply to comment #17) > (In reply to comment #15) > > However, password brute-forcing can be used against anyone, even those who > > always use HTTPS. > > To what end? To get into their account, the same reason an attacker brute-forces anyone. I don't know what you're getting at. Like I said, there are different attack scenarios. (In reply to comment #18) > Could we not program it to prompt the user to change their password if its > "weak"/"under the X character count"? which would seem to solve most of the > issues/arguments presented here about locking people out. So never lock anyone out, but force a change on login? That seems like a potentially reasonable approach for non-privileged accounts. It still leaves inactive accounts with a weak password, but ensures migration of actively used accounts over time. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
