On Thu, Feb 6, 2014 at 9:58 AM, Chris Steipp <[email protected]> wrote:
> 1) As I understand it, the reason we went from 0 to 1 character required is > spammers were actively trying to find accounts with no password so they > could edit with an autoconfirmed account. We rely on "number of > combinations of minimum passwords" to be greater than "number of tries > before an IP must also solve captcha to login" to mitigate some of this, > but I think there are straightforward ways for a spammer to get accounts > with our current setup. And I think increasing the minimum password length > is one component. > > 2) We do have a duty to protect our user's accounts with a reasonable > amount of effort/cost proportional to the weight we put on those > identities. I think we would be in a very difficult spot if the foundation > tried to take legal action against someone for the actions they took with > their user account, and the user said, "That wasn't me, my account probably > got hacked. And it's not my fault, because I did the minimum you asked me." > So I think we at least want to be roughly in line with "industry standard", > or have a calculated tradeoff against that, which is roughly 6-8 character > passwords with no complexity requirements. I personally think the > foundation and community _does_ put quite a lot of weight into user's > identities (most disputes and voting processes that I've seen have some > component that assume edits by an account were done by a single person), so > I think we do have a responsibility to set the bar at a level appropriate > to that, assuming that all users will do the minimum that we ask. Whether > it's 4 or 6 characters for us I think is debatable, but I think 1 is not > reasonable. > 1) Merely increasing the length could increase required keystrokes without making it more secure. A couple comments from the meeting<https://www.mediawiki.org/wiki/Architecture_meetings/RFC_review_2014-02-05#Full_log> : <brion> "aaaaaaaaaaaaaaaaaaaaaaaa" ain't secure <TimStarling> "password" isn't secure either, and that's 8 It seems to me that a pretty secure approach would be to have the system give the user his 8-12 character password, rather than letting him pick a password. Then we can be assured that he's not doing stuff like "p@ssword" to meet the complexity requirements. 2) How plausible is this scenario you mention, involving legal action? Has/would the WMF ever take/taken legal action against someone for actions taken with their user account? Why would that happen, when any damage done by a non-checkuser can generally be reverted/deleted/etc.? What would be the remedy; trying to get money out of the person? It probably wouldn't amount to much. _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
