Topic on Talk:Wikimedia Security Team/Password strengthening 2019

Warn, not require? Remember previous RfC??

2 comments • 18:34, 9 November 2019 5 years ago

2

Gryllida (talkcontribs)

I think there was a request for comment previously and the outcome was that enforcing any password strength is bad, instead a warning should be shown. Perhaps Requests for comment/Passwords is a part of that discussion, it may have happened at more than one place however.

A quote from that page is "We can encourage stronger passwords without requiring them."

I think this may be worth implementing, perhaps as

an e-mail to privileged users whose password is weak, and
a warning ui for people who are signing up.

Reply 23:15, 6 December 2018 5 years ago

Manorainjan (talkcontribs)

In the NIST paper it is mentioned:

A.1 Introduction

Despite widespread frustration with the use of passwords from both a usability and security standpoint, they remain a very widely used form of authentication [Persistence]. Humans, however, have only a limited ability to memorize complex, arbitrary secrets, so they often choose passwords that can be easily guessed. To address the resultant security concerns, online services have introduced rules in an effort to increase the complexity of these memorized secrets. The most notable form of these is composition rules, which require the user to choose passwords constructed using a mix of character types, such as at least one digit, uppercase letter, and symbol. However, analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought [Policies], although the impact on usability and memorability is severe.

Reply 18:34, 9 November 2019 5 years ago

Reply to "Warn, not require? Remember previous RfC??"