Page MenuHomePhabricator

Strengthen password policy for Stewards
Closed, ResolvedPublic

Description

After T94774, we can define password policies based on group membership.

Users in the Stewards group (https://meta.wikimedia.org/wiki/Special:GlobalGroupPermissions/steward) have access to interface editing globally, and are allowed to give themselves checkuser access. An account compromise could have a significant impact on the sites availability (adding slow/harmful javascript to the site), user privacy (checkuser, adding tracking code to the interface), and reputation (deliver browser exploits from our sites).

My proposal is setting an 8-byte minimum length (users will be prompted to change their password on login) in the near term, and then require 8-byte minimum passwords to login after users have had time to update their passwords.

Event Timeline

csteipp created this task.Jun 30 2015, 6:56 PM
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added subscribers: Aklapper, csteipp, hoo.
Risker added a subscriber: Risker.Jun 30 2015, 7:48 PM
Teles added a subscriber: Teles.Jun 30 2015, 8:09 PM
Restricted Application added a subscriber: Matanya. · View Herald TranscriptSep 19 2015, 3:42 PM
Savh added a subscriber: Savh.Oct 26 2015, 4:57 PM
Restricted Application added a subscriber: StudiesWorld. · View Herald TranscriptDec 14 2015, 11:31 AM

Change 259439 had a related patch set uploaded (by CSteipp):
Set password policy for global steward group

https://gerrit.wikimedia.org/r/259439

@csteipp: Any idea when this patch will go live? And could you please 'warn' us on time by sending an email to stewards-l via your wikimedia email address? Thanks! :)

@Trijnstel, we're now only doing critical deployments through the end of
the year, so the earliest I can deploy is the week of Jan 11th. I'll notify
the list at least a week in advance!

RuyP added a subscriber: RuyP.Dec 29 2015, 9:54 PM
Restricted Application added a subscriber: JEumerus. · View Herald TranscriptDec 29 2015, 9:54 PM
Stryn added a subscriber: Stryn.Jan 5 2016, 8:33 PM
Dereckson added a subscriber: Dereckson.EditedFeb 2 2016, 2:07 AM

@Trijnstel, we're now only doing critical deployments through the end of
the year, so the earliest I can deploy is the week of Jan 11th. I'll notify
the list at least a week in advance!

@csteipp ping?

Thanks for the ping @Dereckson. I've scheduled this for deployment Evening SWAT tomorrow - https://wikitech.wikimedia.org/wiki/Deployments#Thursday.2C.C2.A0February.C2.A011

Change 259439 merged by jenkins-bot:
Set password policy for global steward group

https://gerrit.wikimedia.org/r/259439

00:12:55 Synchronized wmf-config/CommonSettings.php: https://gerrit.wikimedia.org/r/#/c/259439/ (duration: 02m 20s)

Krenair closed this task as Resolved.Feb 11 2016, 12:35 AM
Krenair claimed this task.
sbassett moved this task from Backlog to Done on the Security-Team board.Jun 11 2019, 7:18 PM