Page MenuHomePhabricator
Create Task
Maniphest T104370

Strengthen password policy for Staff
Closed, ResolvedPublic
Actions

Description

After T94774, we can define password policies based on group membership.

Users in the Staff group (https://meta.wikimedia.org/wiki/Special:GlobalUsers/staff) have access to checkuser data and interface editing globally. An account compromise could have a significant impact on the sites availability (adding slow/harmful javascript to the site), user privacy (checkuser, adding tracking code to the interface), and reputation (deliver browser exploits from our sites).

My proposal is setting an 8-byte minimum length (users will be prompted to change their password on login) in the near term, and then require 8-byte minimum passwords to login after users have had time to update their passwords.

Details

SubjectRepoBranchLines +/-
Set password policy for global sysadmin groupoperations/mediawiki-configmaster+8 -0
Set initial Staff password policyoperations/mediawiki-configmaster+11 -8
Set initial Staff password policyoperations/mediawiki-configmaster+1 -1
Set initial Staff password policyoperations/mediawiki-configmaster+8 -0
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 Resolved csteippT104370 Strengthen password policy for Staff
 Resolved csteippT94774 Password policies by group

Event Timeline

csteipp created this task.Jun 30 2015, 6:51 PM
csteipp claimed this task.
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added projects: Security-General, Security-Team.
csteipp subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 30 2015, 6:51 PM
Krenair subscribed.Jun 30 2015, 7:09 PM

We should probably do the same for all other groups which have either direct checkuser globally or global editinterface as well...

csteipp mentioned this in T94774: Password policies by group.Jun 30 2015, 7:21 PM
Elitre subscribed.Jun 30 2015, 7:42 PM
Risker subscribed.Jun 30 2015, 7:47 PM
Ricordisamoa subscribed.Jun 30 2015, 9:03 PM
gerritbot subscribed.Jul 1 2015, 5:09 AM

Change 222057 had a related patch set uploaded (by CSteipp):
Set initial Staff password policy

https://gerrit.wikimedia.org/r/222057

gerritbot added a project: Patch-For-Review.Jul 1 2015, 5:09 AM
Glaisher subscribed.Jul 1 2015, 5:34 AM
csteipp moved this task from Incoming to In Progress on the Security-Team board.Jul 1 2015, 7:19 PM
csteipp added a project: Roadmap.
csteipp set Security to None.
Restricted Application added a project: Notice. · View Herald TranscriptJul 1 2015, 7:19 PM
csteipp added a comment.Jul 1 2015, 7:22 PM

The current plan is,

July 7: Increase minimum password length to 8, but users can still login with shorter passwords (https://gerrit.wikimedia.org/r/222057)
July 14: Require 8 bytes of password to login ('MinimumPasswordLengthToLogin' => 8)

csteipp moved this task from Unscheduled to July 6-10 on the Roadmap board.Jul 1 2015, 8:37 PM
csteipp added a subscriber: Jalexander.Jul 1 2015, 10:15 PM

@Jalexander suggested we include the sysadmin group too, which is primarily WMF staff, and two volunteers. They have the userrights right, so can give themselves checkuser / interface editing.

https://meta.wikimedia.org/wiki/Special:GlobalGroupPermissions/sysadmin
https://meta.wikimedia.org/wiki/Special:GlobalUsers/sysadmin

gpaumier moved this task from Backlog to Triaged on the Notice board.Jul 2 2015, 8:20 PM
gpaumier moved this task from Triaged to Archive on the Notice board.Jul 7 2015, 3:20 PM
csteipp triaged this task as Medium priority.Jul 10 2015, 5:50 PM
Trijnstel subscribed.Jul 20 2015, 9:53 PM
csteipp moved this task from In Progress to Waiting on the Security-Team board.Aug 18 2015, 11:58 PM
Dzahn added a subtask: T94774: Password policies by group.Oct 16 2015, 9:34 PM
gerritbot added a comment.Dec 10 2015, 9:33 PM

Change 222057 merged by jenkins-bot:
Set initial Staff password policy

https://gerrit.wikimedia.org/r/222057

gerritbot added a comment.Dec 11 2015, 12:05 AM

Change 258385 had a related patch set uploaded (by CSteipp):
Set initial Staff password policy

https://gerrit.wikimedia.org/r/258385

gerritbot added a comment.Dec 11 2015, 12:07 AM

Change 258385 merged by jenkins-bot:
Set initial Staff password policy

https://gerrit.wikimedia.org/r/258385

gerritbot added a comment.Dec 16 2015, 12:05 AM

Change 258387 had a related patch set uploaded (by Catrope):
Set initial Staff password policy

https://gerrit.wikimedia.org/r/258387

gerritbot added a comment.Dec 16 2015, 12:07 AM

Change 258387 merged by jenkins-bot:
Set initial Staff password policy

https://gerrit.wikimedia.org/r/258387

csteipp added a comment.Dec 16 2015, 12:32 AM

Policies are now enforced for staff. I'll add a followup for sysadmins tomorrow, assuming no issues pop up.

gerritbot added a comment.Dec 16 2015, 12:44 AM

Change 259436 had a related patch set uploaded (by CSteipp):
Set password policy for global sysadmin group

https://gerrit.wikimedia.org/r/259436

gerritbot added a comment.Dec 17 2015, 12:03 AM

Change 259436 merged by jenkins-bot:
Set password policy for global sysadmin group

https://gerrit.wikimedia.org/r/259436

csteipp closed this task as Resolved.Dec 17 2015, 12:10 AM

Policies enforced for sysadmin now too.

sbassett moved this task from Waiting to Our Part Is Done on the Security-Team board.Jun 11 2019, 6:04 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL