Page MenuHomePhabricator

Increase password policies for the 'steward' group
Open, HighPublic

Description

As far as I can see https://meta.wikimedia.org/wiki/Special:PasswordPolicies#steward the policy is lesser than the one required for administrators, which makes no sense, at least on WMF wikis. Our password policy should be as strict as https://meta.wikimedia.org/wiki/Special:PasswordPolicies#wmf-supportsafety given that we have total access to the wiki interface across the whole lot of Wikimedia wikis (excluding private and fishbowl which are non-CentralAuth).

This strengthens T104371: Strengthen password policy for Stewards.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 18 2018, 9:17 AM
MarcoAurelio triaged this task as High priority.Jun 18 2018, 9:17 AM
Restricted Application added a subscriber: Dereckson. · View Herald TranscriptJun 18 2018, 9:17 AM

Change 440834 had a related patch set uploaded (by MarcoAurelio; owner: MarcoAurelio):
[operations/mediawiki-config@master] Increase password policies for 'steward' to max

https://gerrit.wikimedia.org/r/440834

maybe also round up MinimalPasswordLength from 8 to 10?

Reedy added a subscriber: Reedy.EditedJun 18 2018, 1:10 PM

maybe also round up MinimalPasswordLength from 8 to 10?

Of course, 'MinimumPasswordLengthToLogin' => 1, is pretty stupid too, and with it staying so low, MinimalPasswordLength doesn't actually matter if someone doesn't want to change their password

I wonder if steward etc should be included in $wmgPrivilegedGroups too...

Also: The config for doing this is seemingly rather convoluted and complex...

jrbs awarded a token.Jun 18 2018, 3:59 PM
jrbs moved this task from Backlog to Security/Abuse on the Trust-and-Safety board.

steward should be in $wmgPrivilegedGroups imho as it manages userrights and can put any user in other restricted groups as well

steward should be in $wmgPrivilegedGroups imho as it manages userrights and can put any user in other restricted groups as well

Unfortunately it's vague and undocumented what should be in there, why, and what exactly it does and under what conditions...

jrbs renamed this task from 2qaaaaaaaa to Increase password policies for the 'steward' group.Jul 1 2018, 3:41 AM
jrbs raised the priority of this task from High to Needs Triage.
jrbs triaged this task as High priority.
jrbs updated the task description. (Show Details)
jrbs added subscribers: GerritBot, Aklapper, MarcoAurelio.

Change 440834 abandoned by MarcoAurelio:
Increase password policies for 'steward' to max

https://gerrit.wikimedia.org/r/440834

Abandoning my patch given the difficulties in understanding how to fix this absent clear docs.

revi added a subscriber: revi.Oct 20 2018, 3:20 AM

IIRC Stewards are admin on at least one wiki right now, so I'd assume admin's strict rule wins over steward's rule...

But we can't predict future.