I'm not sure that I agree with that assessment *of password strength
testing tools* (not humans), for a couple of reasons.

0. Weak passwords are a huge problem, and may be closely related to the
weakness that the attackers are currently using to compromise Wikimedia
accounts. As far as I know, Wikimedia currently has no internal way to deal
with that problem. We *should* have a way to deal with that problem, but it
seems to me that using a tool that I recommended is the lesser of two evils
at the moment. In the long run, it would be much better if Wikimedia had an
internal tool to validate the strength of users' passwords and block
passwords that fall below a certain strength level.

1. If you don't trust that strength testing site (which is fine), choose
another. I did a couple of quick checks on that site; while it's entirely
possible that I missed something, it appeared to me that the site was not
sending passwords over the Internet, whether in the clear or encrypted. The
use of HTTP or HTTPS is irrelevant if the data isn't getting sent out in
the first place.

Do you have a better solution in mind to deal with the immediate problem of
weak passwords, besides 2FA which is not available to everyone?


On Thu, Nov 17, 2016 at 12:08 AM, Antoine Musso <hashar+...@free.fr> wrote:

> Le 16/11/2016 à 19:19, Pine W a écrit :
> >
> > (0) Consider testing your password strength with a tool like
> > http://www.testyourpassword.com/; be sure that the tool you use does not
> > send your chosen password over the Internet and instead tests it locally.
> By using an online testing tool, you are effectively breaking the very
> first rule:
> Using that site is exactly like sharing your password with a random
> stranger in the world.  Even if you trusted that website, and audited
> the code at a given point in time, you have no guarantee the site hasn't
> changed or that it is not collecting passwords.
> --
> Antoine "hashar" Musso
> _______________________________________________
> Wikitech-l mailing list
> wikitec...@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikimedia-l mailing list, guidelines at: 
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Reply via email to