Good point about MITM doing script injection, which I hadn't fully
considered. I'm not sure that going to HTTPS would solve everything (e.g.
that alone wouldn't prevent the origin site from reading passwords that
someone enters into the tool, and HTTPS is not foolproof) but it would
indeed be a big step in the right direction to avoid MITM.

I wonder (looking at the WMF people in the room) how quickly could WMF
deploy a password strength checking tool to the Wikimedia sites? That won't
solve all of the problems but it would be a step in the right direction.


On Thu, Nov 17, 2016 at 10:00 AM, Tyler Romeo <> wrote:

> On Thu, Nov 17, 2016 at 12:28 PM, Pine W <> wrote:
> > 1. If you don't trust that strength testing site (which is fine), choose
> > another. I did a couple of quick checks on that site; while it's entirely
> > possible that I missed something, it appeared to me that the site was not
> > sending passwords over the Internet, whether in the clear or encrypted.
> The
> > use of HTTP or HTTPS is irrelevant if the data isn't getting sent out in
> > the first place.
> >
> Or use a password manager that has a local built-in password strength tool,
> that way you don't risk being MiTMed by an HTTP site.
> In general, as mentioned, you should simply not enter your password on any
> website that is not the site the password belongs to. For my full-time job,
> employees have a Chrome extension where accidentally type your password on
> any website (even if it's not in a text box) you're required to reset it.
> *-- *
> Regards,
> *Tyler Romeo*
> 0x405d34a7c86b42df
> _______________________________________________
> Wikitech-l mailing list
Wikimedia-l mailing list, guidelines at:
New messages to:

Reply via email to