Page MenuHomePhabricator

Strengthen password policy for Ombudsmen
Closed, ResolvedPublic

Description

After T94774, we can define password policies based on group membership.

Users in the Ombudsmen group (https://meta.wikimedia.org/wiki/Special:GlobalGroupPermissions/ombudsman) have access to checkuser data globally. An account compromise could impact the privacy of our users.

My proposal is setting an 8-byte minimum length (users will be prompted to change their password on login) in the near term, and then require 8-byte minimum passwords to login after users have had time to update their passwords.

Event Timeline

csteipp created this task.Jun 30 2015, 7:09 PM
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added subscribers: csteipp, Aklapper.
csteipp renamed this task from Strengthen password policy for Ombudsmen to Strengthen password policy for Checkusers.Jun 30 2015, 7:14 PM
csteipp updated the task description. (Show Details)
csteipp set Security to None.
csteipp renamed this task from Strengthen password policy for Checkusers to Strengthen password policy for Ombudsmen.Jun 30 2015, 7:16 PM
csteipp updated the task description. (Show Details)
revi added a subscriber: revi.Dec 11 2015, 12:09 AM
Restricted Application added a subscriber: StudiesWorld. · View Herald TranscriptDec 11 2015, 12:09 AM

Change 318948 had a related patch set uploaded (by Reedy):
Enforce same password policy for ombudsman as for checkuser et al

https://gerrit.wikimedia.org/r/318948

Change 318948 abandoned by Reedy:
Enforce same password policy for ombudsman as for checkuser et al

Reason:
Actually already done

https://gerrit.wikimedia.org/r/318948

Reedy closed this task as Resolved.Oct 31 2016, 3:47 PM
Reedy assigned this task to csteipp.
Reedy added a subscriber: Reedy.
	// See [[m:Requests_for_comment/Password_policy_for_users_with_certain_advanced_permissions]]
	foreach ( [ 'global-sysop', 'global-interface-editor', 'wmf-researcher',
		'new-wikis-importer', 'ombudsman', 'founder' ] as $group
	) {
		$wgCentralAuthGlobalPasswordPolicies[$group] = [
			'MinimalPasswordLength' => 8,
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordCannotMatchUsername' => true,
			'PasswordCannotBePopular' => 10000,
		];
	}

Already done too

sbassett moved this task from Backlog to Done on the Security-Team board.Jun 11 2019, 7:18 PM