https://bugzilla.wikimedia.org/show_bug.cgi?id=25925
--- Comment #12 from MZMcBride <b...@mzmcbride.com> --- (In reply to comment #11) > I don't think we should guarantee that users with very weak passwords (say > under 6 characters, but we could draw the line elsewhere) should be able to > log in forever (without changing or resetting the password). > > It was a mistake to ever allow such passwords [...] Why a mistake? You know, before the minimum password length was 1, it was 0. I seem to remember Brion saying that he used to log in with a blank password. Many others did as well. The vast, vast majority of MediaWiki accounts have almost no value, as Aryeh and others have argued (cf. comment 7 and r70520). I'd consider locking thousands of users out of their accounts to be a nuclear option. > Another option is to only make this change for users with elevated rights > (e.g. admins). Right. This approach makes more sense. This is mostly covered by bug 16435. The idea is that accounts with elevated privileges (administrator, CheckUser, oversight, etc. accounts) could require a stronger password. Of course, with logins still not required to use HTTPS, a lot of these security measures look rather silly. Footnotes: * bug 621 comment 1 * bug 1448 comment 3 * bug 4063 comment 1 * bug 9834 comment 0 * bug 30574 comment 3 -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
