Users in the who are in the Checkuser group on any wiki have access to user's IP addresses. An account compromise could impact the privacy of our users.
Since this is a fairly large group, I'm not sure what an appropriate initial and long-term policy should be. I think 8-byte minimum is a good start.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | • csteipp | T104373 Strengthen password policy for Checkusers | |||
| Resolved | • csteipp | T94774 Password policies by group |
This seems to be done for all intents and purposes? It's looped in with other groups that have elevated permissions
} else {
// See password policy RFC on meta
// [[m:Requests_for_comment/Password_policy_for_users_with_certain_advanced_permissions]]
foreach ( [ 'bureaucrat', 'sysop', 'checkuser', 'oversight' ] as $group ) {
$wgPasswordPolicy['policies'][$group]['MinimalPasswordLength'] = 8;
$wgPasswordPolicy['policies'][$group]['MinimumPasswordLengthToLogin'] = 1;
$wgPasswordPolicy['policies'][$group]['PasswordCannotBePopular'] = 10000;
}
$wgPasswordPolicy['policies']['bot']['MinimalPasswordLength'] = 1;
}