User:°/some ideas on common passwords

From Meta, a Wikimedia project coordination wiki
Jump to navigation Jump to search

Some ideas on common passwords. Feel free to add your ideas and comments to this page.

This is in answer to the following discussion on Requests for comment/Password policy for users with certain advanced permissions/comments:

I am not aware of any list of nonlatin passwords, but I have some ideas on what to, if nobody else comes up with one. But first some thoughts about who could be helpful in finding such lists:

It might be a good idea to ask contributers of the individual wiki projects. By this I do not mean to send out a mass message to the village pump of the projects, but to ask specific users, chosen by this qualifications: 1) is a regular contributer or admin at the project, 2) has an en-Babel on his/her user page, 3) has in the past contributed to the password page or user account security page.

In the absence of password lists for one or more writing systems, I suggest the following, based not on the rockyou corpus, but on a list of 25 most common passwords:

  1. password: It has already been mentioned to use the wikidata entry on password to find this word in many writing systems, that are used by wikimedia projects.
  2. all numeric passwords: This should be excluded from the common password list. Instead all digit only passwords with 8 or less unicode codepoints should be blacklisted. The enWp-RfC asks for 8 bytes, but unicode codepoints of digits in the various writing systems can be up to 4 bytes and calendar dates (birthday, day of account creation, national holyday) in various calendar systems can be 3 to 8 digits (3: first of january of the first year of reign of the japanese tenno; 8: 2 digits each for day and month and 4 digits year in muslim and jewish calendar) therefore a minimum of 9 unicode codepoints. This should also be useful for the password strength bar on projects that decide to use a requirement of for example 6 bytes for passwords. It might even be a good idea to extent this to passwords that are made of digits and non-letters only (-, /, :, . for latin passwords).
  3. qwerty: keys on the keyboard. This is qwertz for german and azerty for french keyboards. Keyboards for other writing systems should be researched.
  4. dragon, monkey, mustang: popular animals in different regions of the world in the local writing system.
  5. pussy: Ok, this is cat, coward or vulva in english; or it might be chosen because of the ambiguity of this meanings in english. Probably difficult what to include from other languages.
  6. baseball, football: The most popular sport in different regions of the world. For Afghanistan this would be buzkašī: ‏بزکشی‎.
  7. letmein, abc123: no idea.
  8. michael, jennifer, jordan, harley: popular names. Muḥammad ‏محمد‎, Alī ‏علي‎, Kim .
  9. shadow, master, superman: no idea.

About emailing a new password: You are right, a security question is not a good solution. But in my opinion the combination of email and question is still far better than the status quo. Not to offer email is not an option for admins, and to erase the email address from the preferences and post it on the user page to avoid the sending of passwords has severe drawbacks. Optimal would be to offer in the preferences 3 options of password recovery: 1) status quo, email only; 2) 2FA; 3) email and security question. The problem with 2FA is, that SMS is not available to all users and all over the world. Therefore an option to chose between SMS and an additional email address should be offered. The software should try to ensure that the two email addresses are by different providers.

--° (Gradzeichen) 21:19, 22 December 2015 (UTC)