For MediaWiki (recent comments | status changes | tags | authors | states | release notes | statistics)
Yay great stuff. Few issues:
I don't know for sure, but I'm assuming that this revision is related to this Signpost piece.
I find the entire idea that you need to be told how strong your password should be for your encyclopedia-editing account to be a bit extreme. It may make some sense for accounts with elevated user rights, but I think this is bad nannying when applied to all users.
Yes, it gave me the idea.
I don't think we should have any such password-checker for ordinary users. Ordinary user accounts can do nothing bad if compromised, we should not be trying to scare them into using harder-to-remember passwords. Security vs. convenience falls on the side of convenience here.
If actual password security is desired, it should use an existing well-established system, not a crude one made up by us. Your system rates "password123" as "acceptable", but "mfkropl" as "BAD", although the latter is much less guessable than the former. It labels two of the three most common passwords according to <http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time> "mediocre" rather than "BAD" ("password" and "12345678"). It also seems to assume that nobody uses anything other than ASCII for passwords, which is totally unreasonable. This kind of pseudo-security is just annoying.
Some people might want this kind of silly thing, but I strongly feel that it should be off by default and off on all Wikimedia sites, or preferably relegated to an extension. A much better solution is to use a proper password security checker and make it mandatory for sysops, including prohibiting the promotion of a user to sysop if they don't have a secure enough password.
Ordinary users don't like being compromised more than others. For many people it's an online identity. We could approximate the damage it would do based on account age and activity, but that's unknown when creating the account. I think a good compromise is to show a password strength meter (without enforcing) and recommend using passwords moderate to high (instead of just high).
The problem is on measuring the password strength. As I asked on irc, I'd like to see documented how is it being measured, so that it can be analysed without going down to the code. Ideally, someone would have already studied the problem and we would only need to code the conclusions from a paper.
Having your account compromised is extremely unlikely, but forgetting your password is common. Both can result in loss of access to the account. We should be encouraging ordinary users to use easy-to-remember (thus probably easy to guess) passwords to reduce the high risk of forgetting passwords, rather than encouraging them to use hard-to-guess (thus probably hard to remember) passwords to reduce the extremely tiny risk of someone trying to guess your password. Someone guessing your password is particularly unlikely for non-admins, since there's no obvious motive, and hackers almost always have a motive.
We should encourage providing an email instead. We can recommend password stores, too.
> Someone guessing your password is particularly unlikely for non-admins, since there's no obvious motive, and hackers almost always have a motive.
Anyway, the conditions under which the strength meter would be shown are somehting to be defined separatedly.
Confirming an e-mail is a pain, and many people change their e-mail address every few years (moving to different providers, changing name, etc.). People also might not want to give their e-mail to avoid spam.
I don't object to having a strength meter somewhere, as long as it doesn't use really stupid heuristics (which 98% of password strength meters do), but I strongly feel it should be off by default for all users, and off on Wikimedia for new users.
What about putting it on Special:ResetPassword but not on the sign-up screen? It would keep us from being off-putting to people signing up, but still allow for suggestions/strength feedback when they're changing their password.
Agree 100% that it should be based on good heuristics.
If it's reasonably pretty and unobtrusive and uses smart heuristics, then maybe that would be okay. None of those three conditions hold right now, though, so it should still be disabled by default until then. We should not be jumping on security-theater bandwagons that don't actually benefit our users more than annoy them.
Don't you have a bit extreme position here? If they think wmf is going to send spam, they are probably also going to use strong passwords. Regardless, we are not forcing anything here, just giving user a good feeling and confidence if they happen to choose a good password. And yes the meter should be fixed (it's broken like I said above) and the heuristics should be made more appropriate.
I just don't think we should encourage regular users to use strong passwords at all. They should use weak, easy-to-remember passwords in preference to strong, hard-to-remember passwords. The risk of forgetting their password is much greater than the risk of someone else guessing their password, and the two scenarios are equivalently damaging (loss of access to account, no real damage done). Putting up a password strength meter encourages users to choose strong, hard-to-remember passwords, which is bad in the case of Wikipedia. Having your account compromised is only worse than forgetting your password when the attacker can cause damage or view private information, and that's not the case on normal wikis.
Note that you don't need to confirm the email for password reset, only to use Special:EmailUser.
It may not be the best available solution, but it is documented and deployed:
Microsoft Password checker <http://www.microsoft.com/uk/protect/yourself/password/checker.mspx>, with underlying design choices <http://www.microsoft.com/uk/protect/yourself/password/create.mspx>. This implementation differs from the one currently deployed on live.com. Also, neither of these two flag passwords made up of sequences of adjacent keys (e.g. "1qaz2wsx").
They are tips more than a documentation, but useful as well.
A shortcoming of that password checker (which is quite common) is that it considers "123456$a" as strong but "ryfewtyajfyknelzqthhbhbxfckxrxyesamwemuugkhzrvkfepzdmrpmfyleaoktjzxusmbvtweixrfz" weak whereas the first has about 6.5536e+12 (408) bits of entropy and the second 1.57713125193e+113 (2680)
Meh, let's just not include this in 1.17.
I tried taking it out of 1.17, but it's getting kind of annoying, so I'd rather just leave it in and leave it disabled by default.
...is what I said when I was almost falling asleep on my keyboard. 11 hours of sleep later, it was actually fairly easy. Taken out of 1.17 in r81445.