Implement results of enwiki Security review RfC
Open, LowPublic

Description

https://en.wikipedia.org/wiki/Wikipedia:Security_review_RfC

Results:

  • Length increase to 6 bytes
  • Length increase to 8 bytes
  • Uncommon passwords
  • Add a password strength bar to the "Create account" page
  • Password requirements for Crats, Stewards and Founder groups
  • Password requirements for Functionary group
  • Password requirements for Administrator group
  • Password requirements for Edit Filter Manager group
  • Regular audits for Functionary group
  • Regular audits for Administrator group

Of these

  • Increasing the password length is to 8 bytes and requiring uncommon passwords are easy: T119100: Increase MinimalPasswordLength to 8 for several local and global groups
    • Since policies are group based, we'll apply the settings to the local enwiki groups: sysops, bureaucrat, steward, and founder
  • Adding a password strength meter is a good idea, but will require some development work
  • Regular audits will take some work to get setup
csteipp created this task.Dec 11 2015, 2:05 AM
csteipp updated the task description. (Show Details)
csteipp raised the priority of this task from to Needs Triage.
csteipp added a subscriber: csteipp.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptDec 11 2015, 2:05 AM
Restricted Application added subscribers: JEumerus, Matanya. · View Herald TranscriptJan 22 2016, 11:30 AM
csteipp moved this task from Backlog to In Progress on the Security-Team board.Jan 26 2016, 4:48 PM
csteipp claimed this task.Feb 26 2016, 8:17 PM
csteipp updated the task description. (Show Details)Mar 15 2016, 3:26 PM
Reedy added a subscriber: Reedy.Oct 31 2016, 9:46 PM

Password requirements for Edit Filter Manager group

Which group is this? Abuse filter editors on enwiki?

Change 319000 had a related patch set uploaded (by Reedy):
Increase password requirements on enwiki for "Abuse filter editors"

https://gerrit.wikimedia.org/r/319000

Change 319000 merged by jenkins-bot:
Increase password requirements on enwiki for "Abuse filter editors"

https://gerrit.wikimedia.org/r/319000

Reedy updated the task description. (Show Details)Nov 4 2016, 3:25 PM
Reedy triaged this task as Low priority.Nov 4 2016, 3:58 PM
Aklapper removed csteipp as the assignee of this task.
Bawolff added a subscriber: Bawolff.Dec 9 2017, 1:59 PM

Regular audits will take some work to get setup

I don't think anyone ever decided what is meant by this (running hashcat against functionary password hashes? Ensuring they have 2FA? Something else)

Samtar added a subscriber: Samtar.Wed, Dec 27, 2:58 PM

Regular audits will take some work to get setup

I don't think anyone ever decided what is meant by this (running hashcat against functionary password hashes? Ensuring they have 2FA? Something else)

Personally, and mindful of ease vs usefulness, a "regular audit" would be:

  • Run every 6 months (its just a number, but twice a year seems reasonable)
  • Enforcing/checking 2FA is enabled (depending on if 2FA ever became a requirement, which is unlikely - we should at least have statistics)
  • Checking functionary/administrator's passwords against a "top X" list (nb. "commonly used" passwords cannot be chosen)
  • Running hashcat against functionary's passwords (guessing this would be resource expensive, hence limiting to only functionary password hashes)

Thoughts? How much of this could be automated, to whom would the results go, and what would happen if an account "failed" the audit?

DoRD added a subscriber: DoRD.Thu, Dec 28, 12:20 PM