Upstreaming from https://translatewiki.net/wiki/Thread:Support/About_Phabricator:phabricator-people-148aaf2e06c62283/fr:_extremely_unsecure_suggestion!#About_[[Phabricator:phabricator-people-148aaf2e06c62283/fr]]:_extremely_unsecure_suggestion!_61310 and https://phabricator.wikimedia.org/T313023

Steps to replicate the issue (include links if applicable):

• https://translatewiki.net/wiki/Phabricator:phabricator-people-148aaf2e06c62283/en

The embedded hint is the worst ever suggestion by Phabricator I have ever seen or any Wikimedia project:

After you set a new password, consider writing it down on a sticky note and attaching it to your monitor so you don't forget again! Choosing a very short, easy-to-remember password like "cat" or "1234" might also help.

If it is followed, it completely destroys the usefulness of paswords, allowing anyone to easily take controls of accounts; bots would easily target these accounts as well. Various projects have strong requirements about the choice of good password (notably for administrator accounts, or accounts created for privacy and whose owners could become source of legal threats when editing sensible articles like those about war in Ukraine, or LGBTQI+ topics, or accounts used for development with the review of edits, or approval and integration of changes in code or policies). As well noting passwords on PostIts is not secure at all.

This is also a very bad suggestion for any other web site: users are instructed everywhere to NEVER use those "easy" tricks that break all best recommendations made by many authorities and project managers (and even by Wikimedia itself).

Given the now very HUGE risk of third party attacks now on the web (where personal account details are stolen by tens of millions, even on very popular sites that were supposed to be secured, including massive attacks against popular wikis), we need stronger paswords stored in safe places, and that are also unique for each site (so that users of the wiki will also NOT reuse their passwords for their other critical accounts such as their bank, merchant sites, gaming sites, or other professional websites, or government and social security websites).

In all cases, that statement quoted above should be discarded completely. It is much safer to forget a password that you can change again by asking to the website to submit a request to generate a temporary password which which you can reconnect and change immediately on first logon.

Instead, we should instruct users to consider using password managers (that can help generating strong passwords, and that can save them in a secured store). Today, password managers are integrated in most major web browsers, and allow synchronizing them across multiple devices, or can be integrated as plugins for most browsers or as acessibility companion apps for mobile devices.

Good password managers can also give hints when some known sites have been hacked or when user passwords that were harvested on users's devices or stolen on legitimate sites but found on the dark web were they are republished or resold.

I hope this is not a joke, but such joke on this kind of security-related topic should be removed.