User:°/some ideas on common passwords

Some ideas on common passwords. Feel free to add your ideas and comments to this page.

This is in answer to the following discussion on Requests for comment/Password policy for users with certain advanced permissions/comments:

# The password list mentioned in this RfC contains only latin letters and arabic digits. Of the 10000 most common passwords only 3000-4000 are 8 bytes or longer, therefore the other 6000 should be replaced with common passwords from cyrillic, CJK, arabic and so on alphabets. — There is nothing said about using a unique password. I think accounts with additional permissions should be required to state to the foundation that they use a unique password (I know this RfC is about software and this cannot be enforced by software or otherwise, but there are already other policies that cannot be enforced). And the password change dialog should include a request to use a unique password for all accounts. — An echo notification should be added to display the number of unsuccessful login attempts to all accounts. — Passwords can be reset by requesting a new password by email. A hacker can wikimail an administrator with a plausible request and the answer email of the administrator will reveal the very email address this administrator uses to recover a lost password. The hacker can proceed with this approach until he finds one with a vulnerable email-provider. Therefore a security question should be asked, when an emailed password is used (mandatory for admins, opt-in for all accounts). --° (Gradzeichen) 18:51, 21 December 2015 (UTC)

I had trouble locating a list of non-english common passwords. If you're aware of any, please let me know. The echo notice is a good idea. I've filed phab:T122123 for it. I've filed phab:T122124 for instructing users to use a unique password. I agree that email a new password is a potential weak spot, although I'm not sure if a security question is a good solution (Or if there is a good solution). See some of the comments at phab:T122013. BWolff (WMF) (talk) 11:45, 22 December 2015 (UTC)

I am not aware of any list of nonlatin passwords, but I have some ideas on what to, if nobody else comes up with one. But first some thoughts about who could be helpful in finding such lists:

It might be a good idea to ask contributers of the individual wiki projects. By this I do not mean to send out a mass message to the village pump of the projects, but to ask specific users, chosen by this qualifications: 1) is a regular contributer or admin at the project, 2) has an en-Babel on his/her user page, 3) has in the past contributed to the password page or user account security page.

In the absence of password lists for one or more writing systems, I suggest the following, based not on the rockyou corpus, but on a list of 25 most common passwords:

password: It has already been mentioned to use the wikidata entry on password to find this word in many writing systems, that are used by wikimedia projects.
all numeric passwords: This should be excluded from the common password list. Instead all digit only passwords with 8 or less unicode codepoints should be blacklisted. The enWp-RfC asks for 8 bytes, but unicode codepoints of digits in the various writing systems can be up to 4 bytes and calendar dates (birthday, day of account creation, national holyday) in various calendar systems can be 3 to 8 digits (3: first of january of the first year of reign of the japanese tenno; 8: 2 digits each for day and month and 4 digits year in muslim and jewish calendar) therefore a minimum of 9 unicode codepoints. This should also be useful for the password strength bar on projects that decide to use a requirement of for example 6 bytes for passwords. It might even be a good idea to extent this to passwords that are made of digits and non-letters only (-, /, :, . for latin passwords).
qwerty: keys on the keyboard. This is qwertz for german and azerty for french keyboards. Keyboards for other writing systems should be researched.
dragon, monkey, mustang: popular animals in different regions of the world in the local writing system.
pussy: Ok, this is cat, coward or vulva in english; or it might be chosen because of the ambiguity of this meanings in english. Probably difficult what to include from other languages.
baseball, football: The most popular sport in different regions of the world. For Afghanistan this would be buzkašī: ‏بزکشی‎.
letmein, abc123: no idea.
michael, jennifer, jordan, harley: popular names. Muḥammad ‏محمد‎, Alī ‏علي‎, Kim 김.
shadow, master, superman: no idea.

About emailing a new password: You are right, a security question is not a good solution. But in my opinion the combination of email and question is still far better than the status quo. Not to offer email is not an option for admins, and to erase the email address from the preferences and post it on the user page to avoid the sending of passwords has severe drawbacks. Optimal would be to offer in the preferences 3 options of password recovery: 1) status quo, email only; 2) 2FA; 3) email and security question. The problem with 2FA is, that SMS is not available to all users and all over the world. Therefore an option to chose between SMS and an additional email address should be offered. The software should try to ensure that the two email addresses are by different providers.

--° (Gradzeichen) 21:19, 22 December 2015 (UTC)