Wikinews:Water cooler/technical/archives/2012/October


Encouraging stronger passwords

I've mentioned this before, that longer passwords should be a requirement for privved accounts.

It isn't something I'd want to force upon people, but what I'd like is if we'd a consensus that employing a client-side strength-checker would be a good start. This discussion covers what a few fairly tech-savvy people think on the issue, and you end up pointed to this tool.

All there is extension-wise for MediaWiki is EnforceStrongPassword, which falls foul of all the policy weaknesses that passfault highlights.

If we can agree that, at least here for a trial, we've a password strength meter, then I can pop it up as a BugZilla request. To that, I'dd add a request for a "change your password" nag message post-login. That being displayed if the password is over 3 months old. Again, not enforcing a change. --Brian McNeil / talk 13:24, 12 October 2012 (UTC)[reply]

Comments

  • I'm putting a 'vote' section on this straight away, as I can't see anyone seriously objecting. I'd hope if someone picks it up as a little project to make into an extension, they'd make enforcement an option which would be of use on other wikis where they might want a 'hard' policy. --Brian McNeil / talk 13:24, 12 October 2012 (UTC)[reply]
  • Seems likely Wikinews would be more concerned about strong passwords for ordinary users than any other sister, because publishing news articles is a more individually responsible task than any other wikimedia function I can think of other than checkuser and oversight. --Pi zero (talk) 13:55, 12 October 2012 (UTC)[reply]
  • To be honest, this strikes me as something where Wikinews' willingness to be experimented on should be put to good use. I'll bet if we got a decent password strength checker it would be rolled out across all Wikimedia wikis. There are a few closed wikis they could do with reminding people to be careful on. A "fully-featured" checker extension would allow fine-grained control over enforcement; admins must have 'good' (or better) passwords, and 'crats/checkusers/oversighters must have 'excellent' passwords.
They'd have a few 'headaches' incorporating that with SUL, mind.
The real fun would be translating password strength into concise terms: "poor", "mediocre", "reasonable", "good", "strong", "excellent" and "good luck NSA". :P --Brian McNeil / talk 14:52, 12 October 2012 (UTC)[reply]

Votes

MediaWiki updates

  • Just got a warning that more changes to MediaWiki are to be rolled out.
See here: http://lists.wikimedia.org/pipermail/mediawiki-api/2012-October/002704.html
As-of Monday, the new version will be up on test.wikipedia.org and mediawiki.org.
Our main concern is likely to be that this could break: WN:MAKELEAD or EzPR.

How easy would it be to port these over to one of those wikis so, when we do get advance notice of updates we can 'kick the tyres'? --Brian McNeil / talk 11:35, 13 October 2012 (UTC)[reply]