Page MenuHomePhabricator
Create Task
Maniphest T121179

Implement password complexity password policy check
Closed, DeclinedPublic
Actions

Description

There's many variations of this:

  • Must contain number
  • Must contain special character
  • Must contain upper/lowercase letter....

I guess there's scope for password with repeated characters. "Password must be 10 characters; oh look, aaaaaaaaaa works" too

https://en.wikipedia.org/wiki/Password_policy#Password_length_and_formation

Related Objects

Event Timeline

Reedy created this task.Dec 11 2015, 12:34 AM
Reedy raised the priority of this task from to Low.
Reedy updated the task description. (Show Details)
Reedy added projects: MediaWiki-User-login-and-signup, Security-Team.
Reedy added a subscriber: Reedy.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 11 2015, 12:34 AM
Reedy updated the task description. (Show Details)Dec 11 2015, 12:40 AM
Reedy set Security to None.
Ricordisamoa added a subscriber: Ricordisamoa.Dec 11 2015, 7:39 AM
Aklapper mentioned this in T200052: Mandate that account passwords must be a minimum of eight characters on Wikimedia projects.Jul 20 2018, 12:21 PM
TheDJ added a subscriber: TheDJ.Jul 21 2018, 8:50 AM

Related: T32574: Display a password strength bar

ThurnerRupert added a subscriber: ThurnerRupert.Jul 21 2018, 1:32 PM

this is against recent NIST research, and should be closed as "not implement":
https://pages.nist.gov/800-63-3/sp800-63b.html

ThurnerRupert closed this task as Declined.Jul 21 2018, 1:33 PM
ThurnerRupert updated the task description. (Show Details)
Reedy added a comment.Jul 21 2018, 1:36 PM
In T121179#4443043, @ThurnerRupert wrote:

this is against recent NIST research, and should be closed as "not implement":
https://pages.nist.gov/800-63-3/sp800-63b.html

Just linking to a 74 page document isn't helpful

I'm guessing you specifically mean...

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets.

ThurnerRupert added a comment.EditedJul 21 2018, 2:11 PM

yes, exactly, many thanks for the copy out, reedy! there is T32574 as well which partially covers what is mentioned in this ticket (aaaaaaa)

sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Jun 11 2019, 7:10 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL