On Wed, Feb 5, 2014 at 8:00 PM, MZMcBride <z...@mzmcbride.com> wrote:
> Hi. > > Tyler Romeo wrote: > >On Wed, Feb 5, 2014 at 2:20 AM, MZMcBride <z...@mzmcbride.com> wrote: > >> Ultimately, account security is a user's prerogative. [...] Banks and > >>even e-mail providers have reason to implement stricter authentication > >>requirements. > > > >This is conflicting logic. If it is the user's job to enforce their own > >account security, what reason would banks or email providers have to > >require long passwords? > > I'm not sure the logic is conflicting. I tried to separate individual > thoughts into individual paragraphs. The common thread of my message was > that I haven't yet seen enough evidence that the cost here is worth the > benefit. The benefits to securing valueless accounts remains unclear, > while the implementation cost is non-negligible. > > E-mail accounts are often used in identity verification processes and > banks are banks. While you and I may disagree with their password > policies, there's at least a reasonable explanation for implementing more > stringent requirements in these two cases. Compare with MediaWiki user > accounts. What's the argument here? Why is this worth any effort? > I think there are a couple of reasons why we have a duty to enforce strong passwords. Let me try to convince you. 1) As I understand it, the reason we went from 0 to 1 character required is spammers were actively trying to find accounts with no password so they could edit with an autoconfirmed account. We rely on "number of combinations of minimum passwords" to be greater than "number of tries before an IP must also solve captcha to login" to mitigate some of this, but I think there are straightforward ways for a spammer to get accounts with our current setup. And I think increasing the minimum password length is one component. 2) We do have a duty to protect our user's accounts with a reasonable amount of effort/cost proportional to the weight we put on those identities. I think we would be in a very difficult spot if the foundation tried to take legal action against someone for the actions they took with their user account, and the user said, "That wasn't me, my account probably got hacked. And it's not my fault, because I did the minimum you asked me." So I think we at least want to be roughly in line with "industry standard", or have a calculated tradeoff against that, which is roughly 6-8 character passwords with no complexity requirements. I personally think the foundation and community _does_ put quite a lot of weight into user's identities (most disputes and voting processes that I've seen have some component that assume edits by an account were done by a single person), so I think we do have a responsibility to set the bar at a level appropriate to that, assuming that all users will do the minimum that we ask. Whether it's 4 or 6 characters for us I think is debatable, but I think 1 is not reasonable. > > I personally regularly use single-character passwords on test MediaWiki > wikis (and other sites) because, as a user, it's my right to determine > what value to place in a particular account. > > If one day MediaWiki wikis (or Wikimedia wikis, really) allow per-user > e-mail (i.e., mzmcbr...@wikipedia.org) or if there comes a time when > identity verification becomes part of the discussion (compare with > Twitter's blue checkmark verified account practice), then it may make > sense to require (l|str)onger passwords in those specific cases. Even > today, if you want to make Jimmy or members of the Wikimedia Foundation > staff have crazy-long passwords, that may be reasonable or prudent or > what-have-you, but that doesn't mean MediaWiki core should go along. > > >If somebody guesses a user's password and empties their bank account, the > >bank could care less, since it is the customer's fault for not making > >sure their password is long enough. > > I'm not sure this is true, but it's too off-topic to discuss here. A > thread about global banking laws and practices, particularly with regard > to liability and insurance and criminal activity, would certainly be > interesting to read, though. :-) > > >I'm sure a very heavy Wikipedia editor, who uses his/her account > >to make hundreds of edits a month but isn't necessarily an administrator > >or other higher-level user, sees their account as something more than a > >throwaway that can be replaced in an instant. > > I absolutely agree with you on this point. And I think we can encourage > stronger passwords, even on the login form if you'd like. Rather than only > using user groups, we could also use edit count or edit registration date > or any number of other metrics. The catch, of course, is (a) finding > developer consensus on a reasonable implementation of a password strength > meter and (b) finding local community consensus to make changes on a > per-variable basis. > > >For example, MZMcBride, what if your password is "wiki", and somebody > >compromises your account, and changes your password and email. You don't > >have a committed identity, so your account is now unrecoverable. > > For what it's worth, I think I have one or two committed identities buried > in my user page history on the English Wikipedia. In any case, as you > note, it's mostly a moot point with me. > > Finally, while not always the best precedent, it seems fair to look at the > history here. As I recall (I'm relying on Cunningham's Law a little bit > here ;-) UseModWiki and other early wiki engines allowed anonymous editing > and even the ability to specify only a username when making an edit. > MediaWiki itself used to allow completely blank passwords and people who > are still active today used to have zero-length passwords. If history is > any guide here, the idea that standard wiki accounts, and even online > identity, is not particularly valuable is not new in the wiki world. > Perhaps it's no longer the case today, but there was (and hopefully is) > a noble goal to encourage a strong focus primarily on the content > rather than the contributor. A lofty goal, indeed. > > MZMcBride > > > > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
