On Tue, Feb 4, 2014 at 1:33 AM, Petr Bena benap...@gmail.com wrote:
Now just remember that password.
I think that issue has been solved quite a while ago, you don't remember
passwords,
you keep them in password stores. you may have a master password to
remember but you don't
have the same on
I like how we got these things done early in the process:
- termed the proposal as 'improve password policy', in the subject, implying
that the solution is good - instead of asking how to do it
- put a single proposal, raising the requirement, instead of putting a few
proposed changes and asking
On Sat, Feb 8, 2014 at 8:14 AM, Brian Wolff bawo...@gmail.com wrote:
On 2/7/14, Steven Walling steven.wall...@gmail.com wrote:
If feel like I should reiterate why I proposed this change. Maybe no one
cares, but I think it might help convince folks this is NOT an argument
for
let's reduce
Chris Steipp wrote:
Totally agree, and I added a first pass for it at
https://www.mediawiki.org/wiki/Requests_for_comment/Passwords#Threats
Thanks for this. I think it's a good start. I think it's reasonable to say
that you've established that there are threats. In my opinion, now it's a
matter
Nathan Larson nathanlarson3...@gmail.com wrote:
[...]
2) How plausible is this scenario you mention, involving legal action?
Has/would the WMF ever take/taken legal action against someone for actions
taken with their user account? Why would that happen, when any damage done
by a
On 2/7/14, Steven Walling steven.wall...@gmail.com wrote:
If feel like I should reiterate why I proposed this change. Maybe no one
cares, but I think it might help convince folks this is NOT an argument for
let's reduce user freedom in the name of security.
I didn't worked on the RFC because
If feel like I should reiterate why I proposed this change. Maybe no one
cares, but I think it might help convince folks this is NOT an argument for
let's reduce user freedom in the name of security.
I didn't worked on the RFC because I love tinkering with password security
in my spare time and
Actually to be honest, if I could login to Mediawiki with a public/private
keypair I would actually really enjoy that. Certainly it shouldn't be the
default, but in a very non-joking way, I would support an initiative to add
that as an option.
You mean kind of like this?
On Wed, Feb 5, 2014 at 8:00 PM, MZMcBride z...@mzmcbride.com wrote:
Hi.
Tyler Romeo wrote:
On Wed, Feb 5, 2014 at 2:20 AM, MZMcBride z...@mzmcbride.com wrote:
Ultimately, account security is a user's prerogative. [...] Banks and
even e-mail providers have reason to implement stricter
On Thu, Feb 6, 2014 at 9:58 AM, Chris Steipp cste...@wikimedia.org wrote:
1) As I understand it, the reason we went from 0 to 1 character required is
spammers were actively trying to find accounts with no password so they
could edit with an autoconfirmed account. We rely on number of
brion ain't secure
TimStarling password isn't secure either, and that's 8
It seems to me that a pretty secure approach would be to have the system
give the user his 8-12 character password, rather than letting him pick a
password. Then we can be assured that he's not
On Thu, Feb 6, 2014 at 3:26 PM, Brian Wolff bawo...@gmail.com wrote:
Well if we are going to go down that road, requring public/private key
pairs would also be more secure. However i doubt either would be acceptable
to users.
Actually, I think it might be better if we just have people come
Well if we are going to go down that road, requring public/private key
pairs would also be more secure. However i doubt either would be acceptable
to users.
Actually, I think it might be better if we just have people come on down to
the San Francisco office and show their government ID. Then
On Thu, Feb 6, 2014 at 4:54 PM, Derric Atzrott datzr...@alizeepathology.com
wrote:
Actually to be honest, if I could login to Mediawiki with a public/private
keypair I would actually really enjoy that. Certainly it shouldn't be the
default, but in a very non-joking way, I would support an
Chris Steipp wrote:
1) As I understand it, the reason we went from 0 to 1 character required
is spammers were actively trying to find accounts with no password so they
could edit with an autoconfirmed account.
Err, citation needed. :-)
I'd forgotten that I'd filed
On Feb 5, 2014 8:21 AM, MZMcBride z...@mzmcbride.com wrote:
Steven Walling wrote:
I fully agree, and this is why the RFC is very clear that the *only
immediate change proposed* is an increase in required minimum length from
one character to six. It does not suggest that we require more
Let's say they are nearly valueless for most of attackers.
Generally speaking I think we should strongly encourage security without
imposing it. A strenght meter, some email reminder and a minimum of six
chars for new passwords would be, imho, non-invasive good measures.
Vito
Inviato con
On Wed, Feb 5, 2014 at 2:58 AM, Tyler Romeo tylerro...@gmail.com wrote:
For example, MZMcBride, what if your password is wiki, and somebody
compromises your account, and changes your password and email. You don't
have a committed identity, so your account is now unrecoverable. You now
have to
I think Steven meant upping the requirements for new accounts only. In
that
way nothing gets broken immediately. I'm still not absolutely convinced
this is more useful than a hindrance if we clearly inform the user about
password strength when they set them (see my earlier post about this
For example, MZMcBride, what if your password is wiki, and somebody
compromises your account, and changes your password and email. You don't
have a committed identity, so your account is now unrecoverable. You now
have to sign up for Wikipedia again, using the username MZMcBride2. Of
course,
On Wed, Feb 5, 2014 at 4:12 AM, Nathan Larson nathanlarson3...@gmail.comwrote:
What if all of the email addresses that a user has ever used were to be
stored permanently? Then in the event of an account hijacking, he could say
to WMF, As your data will confirm, the original email address for
On Tue, Feb 4, 2014 at 11:59 PM, Martijn Hoekstra martijnhoeks...@gmail.com
wrote:
I think Steven meant upping the requirements for new accounts only. In that
way nothing gets broken immediately. I'm still not absolutely convinced
this is more useful than a hindrance if we clearly inform the
Hi.
Tyler Romeo wrote:
On Wed, Feb 5, 2014 at 2:20 AM, MZMcBride z...@mzmcbride.com wrote:
Ultimately, account security is a user's prerogative. [...] Banks and
even e-mail providers have reason to implement stricter authentication
requirements.
This is conflicting logic. If it is the user's
On Sun, Jan 26, 2014 at 9:49 AM, Gryllida gryll...@fastmail.fm wrote:
On Sun, 26 Jan 2014, at 0:02, rupert THURNER wrote:
for the password policy: display a strength indicator is great. anything
more? i would say just leave it to the user.
rupert.
THANK YOU. My thoughts exactly. :-)
fde#@%62jtgjsl$#5kgsgjgseojgro@#$%SEGsgesjojahREAGHkerahj23YJ34pwyjw3$#^WrejgshSH
Time Required to Exhaustively Search this Password's Space:
Online Attack Scenario:
5.04 thousand trillion trillion trillion trillion trillion trillion
trillion trillion trillion trillion trillion trillion
A three/four colour lamp + it might be forced in approx X days sounds great!
Vito
Inviato con AquaMail per Android
http://www.aqua-mail.com
Il 04 febbraio 2014 10:19:12 Martijn Hoekstra martijnhoeks...@gmail.com
ha scritto:
On Sun, Jan 26, 2014 at 9:49 AM, Gryllida gryll...@fastmail.fm
On Tue, Feb 4, 2014 at 10:33 AM, Petr Bena benap...@gmail.com wrote:
fde#@%62jtgjsl$#5kgsgjgseojgro@
#$%SEGsgesjojahREAGHkerahj23YJ34pwyjw3$#^WrejgshSH
(...)
Now just remember that password.
All my passwords look like that and there is no need to remember them. You
can use a password
To be honest one of things I liked most on wikipedia over other sites,
was no password policy whatsoever. I hope we never get into such a
creepy state like oracle website which requires so complicated
password that I always immediately forget it...
On Tue, Feb 4, 2014 at 3:04 PM, Petr Bena
hacking into password manager might be easier than hacking into a human brain :P
On Tue, Feb 4, 2014 at 11:03 AM, Željko Filipin zfili...@wikimedia.org wrote:
On Tue, Feb 4, 2014 at 10:33 AM, Petr Bena benap...@gmail.com wrote:
fde#@%62jtgjsl$#5kgsgjgseojgro@
On Tuesday, February 4, 2014, Petr Bena benap...@gmail.com wrote:
To be honest one of things I liked most on wikipedia over other sites,
was no password policy whatsoever. I hope we never get into such a
creepy state like oracle website which requires so complicated
password that I always
On Tue, Feb 4, 2014 at 11:58 AM, Steven Walling steven.wall...@gmail.comwrote:
On Tuesday, February 4, 2014, Petr Bena benap...@gmail.com wrote:
To be honest one of things I liked most on wikipedia over other sites,
was no password policy whatsoever. I hope we never get into such a
creepy
Steven Walling wrote:
I fully agree, and this is why the RFC is very clear that the *only
immediate change proposed* is an increase in required minimum length from
one character to six. It does not suggest that we require more complex
character types, such as mixed upper/lower case, numbers,
On Wed, Feb 5, 2014 at 2:20 AM, MZMcBride z...@mzmcbride.com wrote:
Ultimately, account security is a user's prerogative. [...] Banks and even
e-mail
providers have reason to implement stricter authentication requirements.
This is conflicting logic. If it is the user's job to enforce their
On Sun, 26 Jan 2014, at 0:02, rupert THURNER wrote:
for the password policy: display a strength indicator is great. anything
more? i would say just leave it to the user.
rupert.
THANK YOU. My thoughts exactly. :-)
Everyone who has a thought should write it on-wiki for these people to hear
hi steven,
thanks for this proposal. what i trap into consistently since years is not
beeing logged in, when i want to. i'd really appreaciate if this is shown
clearly, on all wiki's. i never can remember which ones indicate it and
which ones not. mediawiki.org indicates it, btw ... and i was
On 25/01/14 13:02, rupert THURNER wrote:
for the password policy: display a strength indicator is great. anything
more? i would say just leave it to the user.
rupert.
This.
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
On Sat, Jan 25, 2014 at 10:25 AM, Isarra Yos zhoris...@gmail.com wrote:
On 25/01/14 13:02, rupert THURNER wrote:
for the password policy: display a strength indicator is great. anything
more? i would say just leave it to the user.
rupert.
This.
We should probably have this discussion on
Hi everyone,
For some time now we've had two Requests for Comment floating around
related to passwords, neither of them making much progress.
One is the older password strength RFC which proposed creating a module
to tell users about the strength of their passwords. The second, Password
38 matches
Mail list logo
