On Tue, Feb 4, 2014 at 11:59 PM, Martijn Hoekstra <martijnhoeks...@gmail.com > wrote:
> I think Steven meant upping the requirements for new accounts only. In that > way nothing gets broken immediately. I'm still not absolutely convinced > this is more useful than a hindrance if we clearly inform the user about > password strength when they set them (see my earlier post about "this > password can be brute forced in x"). If users are then not deterred from > setting their password to "wiki", apparently they didn't care, as we told > them how easy it is to brute force. > We do not mean for new accounts only. We mean for all accounts. > > If Steven did mean something that will lock people out of their account on > upgrades, then I don't think that's a good idea at all. > We will not lock people who are using their accounts out. The RFC explicitly mentions two things which will help us having people avoid being locked out of their account: 1. Being extremely loud about announcing the change. We have used cluster-wide banners for this kind of purpose before. 2. As described in the RFC, there is a patch undergoing review which will make it possible to force a reset *after* the user logs in again. In any case, this RFC is about the MediaWiki default. If we want to set the MediaWiki default in core but wait to update Wikimedia sites until we are sure we won't lock a bunch of active users out of their accounts we can do that. We should separate out the rollout strategy from whether we think that a minimum password length is a good default in MediaWiki. _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
