Can we call it what pretty much everyone else calls it, "application passwords"? Instead of "bot passwords" which sound specific to bots, when it's really not.

When I pitched this to @csteipp before putting a lot of work into writing code for it, he was concerned that calling it "application passwords" would make people think it was ok to use this instead of OAuth for tools. Since the entire point of this is to avoid breaking existing bot code when AuthManager finally happens (otherwise we'd just tell everyone to switch to OAuth and be done with it), we decided that calling it "bot passwords" would set the right expectations.

That's also why the header for Special:BotPasswords takes pains to point out that no one should ever ask you to generate one and tell it to them, and why Gerrit change 259067 exists.

Also worth noting that when Google introduced OAuth and tried to dissuade users from giving out their normal password, there already was a huge ecosystem of non-OAuth-enabled apps (including some of Google's own apps). In MediaWiki, on the other hand, automated login is pretty much only used by bots and the mobile apps (their developers need to be looped into this conversation BTW).

Mobile apps aren't bots, so this task doesn't apply to them. T110276: Rewrite the login API to use AuthManager does.

Once the API changes for AuthManager are finalized, we'll make the big announcement on wikitech-l about how authentication is going to change for everyone and what their options are. I suspect mobile apps will probably want to change over to action=clientlogin (or whatever I wind up naming it) rather than making users create an account on the desktop, set up a bot password, and then put the bot password into the app for login. OTOH, they might go for OAuth instead.

When I pitched this to @csteipp before putting a lot of work into writing code for it, he was concerned that calling it "application passwords" would make people think it was ok to use this instead of OAuth for tools. Since the entire point of this is to avoid breaking existing bot code when AuthManager finally happens (otherwise we'd just tell everyone to switch to OAuth and be done with it), we decided that calling it "bot passwords" would set the right expectations.

Does anyone else call it "bot passwords"? I think it's just needlessly confusing, given that "bot" is already an overused term. Also OAuth works for Wikimedia sites, but is an extra extension that most people won't have installed (it also requires mysql/memcached, etc.).

That's also why the header for Special:BotPasswords takes pains to point out that no one should ever ask you to generate one and tell it to them, and why Gerrit change 259067 exists.

Except presumably the bot framework that doesn't support OAuth is going to say, "hey! Go to Special:BotPasswords, generate one and type it in here".

What happened to Special:BotPasswords? The page is gone on Enwiki, and the login method appears to no longer work.

What happened to Special:BotPasswords? The page is gone on Enwiki, and the login method appears to no longer work.

Special:BotPasswords is part of the 1.27.0-wmf.11 release which was removed from the wikis at 2016-01-23T01:33Z due to issues with account logout processes. We have been working since then to correct these issues and 1.27.0-wmf.11 will be rolling back to the wikis with this week's deployment train (group0/testing on 2016-01-26, group1/non-wikipedia on 2016-01-27, all on 2016-01-28).

Special:BotPasswords will not be in 1.27.0-wmf.12 but is currently scheduled to return in 1.27.0-wmf.13.