Maniphest T121179

Implement password complexity password policy check
Closed, DeclinedPublic
Actions

Tags

Subscribers

ThurnerRupert, TheDJ, Ricordisamoa and 2 others

Assigned To

None

Authored By

Reedy, Dec 11 2015

Description

There's many variations of this:

Must contain number
Must contain special character
Must contain upper/lowercase letter....

I guess there's scope for password with repeated characters. "Password must be 10 characters; oh look, aaaaaaaaaa works" too

https://en.wikipedia.org/wiki/Password_policy#Password_length_and_formation

Related Objects

Mentioned In: T200052: Mandate that account passwords must be a minimum of eight characters on Wikimedia projects
Mentioned Here: T32574: Display a password strength bar

Event Timeline

Reedy created this task.Dec 11 2015, 12:34 AM

Reedy raised the priority of this task from to Low.

Reedy updated the task description. (Show Details)

Reedy added projects: MediaWiki-User-login-and-signup, Security-Team.

Reedy added a subscriber: Reedy.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 11 2015, 12:34 AM

Reedy updated the task description. (Show Details)Dec 11 2015, 12:40 AM

Reedy set Security to None.

Ricordisamoa added a subscriber: Ricordisamoa.Dec 11 2015, 7:39 AM

Aklapper mentioned this in T200052: Mandate that account passwords must be a minimum of eight characters on Wikimedia projects.Jul 20 2018, 12:21 PM

Related: T32574: Display a password strength bar

this is against recent NIST research, and should be closed as "not implement":
https://pages.nist.gov/800-63-3/sp800-63b.html

ThurnerRupert closed this task as Declined.Jul 21 2018, 1:33 PM

ThurnerRupert updated the task description. (Show Details)

In T121179#4443043, @ThurnerRupert wrote:

this is against recent NIST research, and should be closed as "not implement":
https://pages.nist.gov/800-63-3/sp800-63b.html

Just linking to a 74 page document isn't helpful

I'm guessing you specifically mean...

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets.

yes, exactly, many thanks for the copy out, reedy! there is T32574 as well which partially covers what is mentioned in this ticket (aaaaaaa)

sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Jun 11 2019, 7:10 PM