According to enwiki:WP:STRONGPASS (which is the only published info I could find about what Wikimedia's password policies are), the only requirements for passwords are that they be at least 8 bytes and not match the OWASP top 10,000 most common passwords list. In addition, these rules are only supposed to apply to people with super dangerous privileges -- there are supposed to be no requirements for normal users.
I don't have a super powerful account to test those rules on, but I notice this doesn't seem to be consistent with what actually happens for unprivileged users. Unprivileged users are blocked from using some common passwords, but not all of them from that list. In fact, the 7th most popular password "1234" is permitted. Here's the results of me testing the first few dozen passwords on the OWASP list:
It doesn't seem to make any sense to me to ban some really common passwords, but not others, so I just wanted to clarify whether or not this is intentional behavior. Obviously I don't know what $wgPasswordPolicy is set to, so I can't tell.
Since I at least know that PasswordCannotBePopular must be enabled (although I don't know what $wgPopularPasswordFile is set to), I could assume that the hardcoded passwords in that function must be banned. And indeed, "" (empty string), "wiki", "mediawiki" and $sitename do appear to be banned. However, because Wikimedia passwords are synced across multiple sites, the $sitename restriction causes weird behavior. I can't set my password to "wikipedia" on Wikipedia, but I can login to, say, Wikivoyage and set it to "wikipedia" there. When I log back into Wikipedia, it'll ask me to change my password, but it won't force me to (I can just leave the page).