Specialist support for 2018/19 password strengthening project
Open, HighPublic

Description

What is the problem?

The Security team would like to increase the minimum requirements for all new Wikimedia accounts in addition to the password requirements for all users holding administrator permissions. We feel very confident that our proposed changes are low-risk, high-impact but are open to altering the requirements based on strong community consensus. The current minimum requirements are at Special:PasswordPolicies.

What does success of this task look like? How do we know when we are done?

The proposed changes to the minimum password requirements (or a near-variation of) are live on production for all Wikimedia wikis.

Is there any goal, program, project, team related with this request?

  • No Phabricator tasks have been created yet, to my knowledge.
  • This is a request from the Security team that will most likely built by the Anti-Harassment tools team, with @TBolliger (me) as Product Manager.

What is your expected timeline from start to end? Is there a hard deadline?

The deadline is not hard, but here is a rough proposed schedule of work:

  • October — Get a Community Liaison to perform on-wiki communication.
  • October (or whenever the Security team’s blog post goes live) — begin on-wiki communication
  • October — create Phabricator tasks and other needed documentation
  • November — AHT developers to estimate the work for this project
  • Development to occur at natural stopping point of AHT’s current project of ‘Partial Blocks’

Please list the subtasks that you would need a Specialist to perform.

  • Create or help Product Manager create & maintain a project page
  • Determine breadth of this consultation and how to best present this work to our users
  • Make announcements to stimulate discussion & participation
  • Triage comments/questions/etc. in on-wiki discussion — either responding directly or handing off to Product Manager, Security team, or engineer.
TBolliger created this task.Oct 1 2018, 9:39 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 1 2018, 9:39 PM
TBolliger updated the task description. (Show Details)Oct 1 2018, 9:45 PM
Elitre added a subscriber: Elitre.Oct 2 2018, 9:35 AM

Thanks for filing this. Triaging.

Elitre added a comment.Oct 5 2018, 1:35 PM

Waiting for docs access, we'll likely start adding comments there. TY

Elitre added a comment.Oct 9 2018, 9:51 AM

Waiting for docs access, we'll likely start adding comments there. TY

Does Sidney already have access to those docs? Thanks.

Elitre added a subscriber: SPoore.Oct 9 2018, 9:51 AM

Everyone with an @wikimedia.org email address should have edit access to that doc now.

Appreciate your patience, Trevor.
You mention a blog post - is that already in the works/shareable? (I looked at the Wikimedia blog and didn't find it there, so assuming it's not published yet)

Thank you for the update, @Elitre! I was just going to ping this, as I've received an email nudge from @JBennett about this project. He will know the target publication date for the blog post, but I think we can move forward with preliminary staff discussions to decide what needs to be brought on wiki and how to present it.

dbarratt added a subscriber: dbarratt.EditedOct 26 2018, 6:01 PM

Would it be possible to explore alternative authentication mechanisms instead of using a password?

For instance, perhaps it would be better (as far as security is concerned) to authenticate users on something they have (email, phone number, one time password, etc.) rather than something they know (password)?

This is probably a question for Security rather than us. :)

JJMC89 added a subscriber: JJMC89.Oct 26 2018, 6:23 PM

The proposed changes to the minimum password requirements (or a near-variation of) are live on production for all Wikimedia wikis.

Sadly, this isn't public :(

There are some notes in that document with the Security team that I'm not sure should be public, but here are the requested product changes:

  • Increase minimum password length for all newly created accounts from 1 to 8.
  • Increase minimum password length for all admin accounts from 8 to 10.
  • All newly created accounts and admin accounts must have a password outside the top 100,000 popular passwords. (Current is 100.)
  • When a person creates a new account and their password does not match these requirements, the API or the UI should return an appropriate error message.
  • When an admin logs in with a password that does not match the requirements, they should see a notification that their password does not match the requirements. (This notification already exists.)
  • No change for existing non-admin accounts.

Is there a reason to for increasing the pwlength for new accounts only to 8 ?

Otherwise, I would directly bump to 10 the minimum length both for new users and all admin accounts (I would use even a larger minimum for admins, and we may not want to set a large minimum for everybody, but I see little reason for differentiating between 8 and 10).

I would also add a check for the HIBP Pwned Passwords blacklist.

Is there a reason to for increasing the pwlength for new accounts only to 8 ?

This is a good question. It's been several months since we discussed these minimums, but if memory serves me correctly there is some research/literature (even on Wikipedia) that shows that 8-characters is a good balance of memorable and secure.

Would love to see some papers on that area.
The links on that section are 10 years old ☹

Looking at the University of Maryland page (which is 21 years old!), and the mention of eight character passwords, they talk a limit of 8-character in the passwords, which is clearly because of the old DES-based crypt(3):

Currently, the maximum password length on many Unix systems is eight characters, but if you want to add a few more characters to make it easier to remember, go ahead. Just bear in mind that anything after the eighth character will be ignored.

Not something that we should worry about. Even the earliest MediaWiki version supported arbitrary-length passwords.☺

Our Security department decided to go with the National Institute of Standards and Technology's latest recommendations, published in June 2017: https://www.nist.gov/publications/digital-identity-guidelines-authentication-and-lifecycle-management

The minimum length is suggested on Page 13 and their rationale is on Page 67.

CKoerner_WMF triaged this task as Normal priority.

Nice.

Thanks, TBollinger

(note: they are pages 13 and 67 are according to the internal document numbering, add 10 pages for the absolute page in the pdf)

Interestingly, SP 800-63b mostly argues that user-chosen entropy is hard to predict and defers to the fact that SP 800-63-2 required user-chosen memorized secrets to be a minimum of 8 characters long. It features a more complex entropy estimation (table A.1) based on Shannon experiments, and the 8 characters limit seem to be the Token reuirement for Level 2 access (Table 6).

CKoerner_WMF raised the priority of this task from Normal to High.

I met with @TBolliger and have a meeting to discuss CommRel's support with @JBennett on 7 November. We'll be discussing the first two items in the task description.

  • Create or help Product Manager create & maintain a project page
  • Determine breadth of this consultation and how to best present this work to our users

I'll update the task after the meeting with our proposed plan.

@JBennett and I met today. Here's our suggested communication plan.

  • Create subpage for the project
  • Write blog post (John to do this)
  • Write announcement (Chris to do this)
    • Keep it short and simple, point to project page for full details, and give a place for folks to raise issues with how password change may impact work
      • Ask for translations
    • When ready, send to Village Pumps via MassMessage
      • Send also to wikimedia-l, wikitech-l, wikitech-ambassadors
      • Include Teahouse and other places new folks hang out (because people will have questions and the communities there can help answer)
      • Include in Tech News

I'll share a draft of the announcement in the next few weeks (eventually a subpage under my username as I do for most announcements). I'll also have a draft of the project page up in the same time frame.

I'll update this task once those are ready.

Elitre awarded a token.Nov 7 2018, 5:50 PM

Sounds great, Chris!

I'll go through the Google Doc today and address/resolve the comments.

CKoerner_WMF added a comment.EditedMon, Dec 3, 8:48 PM

Policy posted on Meta: https://meta.wikimedia.org/wiki/Password_policy

Draft sent to translators for translation assistance.

https://lists.wikimedia.org/pipermail/translators-l/2018-December/004696.html

I will publish this Thursday.

Targets:

Mailing lists: Wikimedia-l, wikitech-l, Wikitech-ambassadors, cloud-l

On wiki: Village Pumps, Admins (Administrators' newsletter), Tech News

(To be joined by a blog post on wmf.org)

Wonderful, thank you Chris!

Upon recommendation I have additional sent a message to the stewards-l mailing list (waiting approval) and the Bureaucrats noticeboards.