Page MenuHomePhabricator

Strengthen password policy for Checkusers
Closed, ResolvedPublic


​Users in the who are in the Checkuser group on any wiki have access to user's IP addresses. An account compromise could impact the privacy of our users.

Since this is a fairly large group, I'm not sure what an appropriate initial and long-term policy should be. I think 8-byte minimum is a good start.

Event Timeline

csteipp created this task.Jun 30 2015, 7:18 PM
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added a subscriber: csteipp.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 30 2015, 7:18 PM
Meno25 added a subscriber: Meno25.Jul 2 2015, 1:49 PM
Reedy closed this task as Resolved.Oct 31 2016, 3:39 PM
Reedy assigned this task to csteipp.
Reedy added a subscriber: Reedy.

This seems to be done for all intents and purposes? It's looped in with other groups that have elevated permissions

} else {
	// See password policy RFC on meta
	// [[m:Requests_for_comment/Password_policy_for_users_with_certain_advanced_permissions]]
	foreach ( [ 'bureaucrat', 'sysop', 'checkuser', 'oversight' ] as $group ) {
		$wgPasswordPolicy['policies'][$group]['MinimalPasswordLength'] = 8;
		$wgPasswordPolicy['policies'][$group]['MinimumPasswordLengthToLogin'] = 1;
		$wgPasswordPolicy['policies'][$group]['PasswordCannotBePopular'] = 10000;

	$wgPasswordPolicy['policies']['bot']['MinimalPasswordLength'] = 1;
Meno25 removed a subscriber: Meno25.Nov 4 2016, 7:06 AM
sbassett moved this task from Incoming to Done on the Security-Team board.Jun 11 2019, 7:18 PM