Page MenuHomePhabricator

Specialist support for 2018/19 password strengthening project
Closed, ResolvedPublic


What is the problem?

The Security team would like to increase the minimum requirements for all new Wikimedia accounts in addition to the password requirements for all users holding administrator permissions. We feel very confident that our proposed changes are low-risk, high-impact but are open to altering the requirements based on strong community consensus. The current minimum requirements are at Special:PasswordPolicies.

What does success of this task look like? How do we know when we are done?

The proposed changes to the minimum password requirements (or a near-variation of) are live on production for all Wikimedia wikis.

Is there any goal, program, project, team related with this request?

  • No Phabricator tasks have been created yet, to my knowledge.
  • This is a request from the Security team that will most likely built by the Anti-Harassment tools team, with @TBolliger (me) as Product Manager.

What is your expected timeline from start to end? Is there a hard deadline?

The deadline is not hard, but here is a rough proposed schedule of work:

  • October — Get a Community Liaison to perform on-wiki communication.
  • October (or whenever the Security team’s blog post goes live) — begin on-wiki communication
  • October — create Phabricator tasks and other needed documentation
  • November — AHT developers to estimate the work for this project
  • Development to occur at natural stopping point of AHT’s current project of ‘Partial Blocks’

Please list the subtasks that you would need a Specialist to perform.

  • Create or help Product Manager create & maintain a project page
  • Determine breadth of this consultation and how to best present this work to our users
  • Make announcements to stimulate discussion & participation
  • Triage comments/questions/etc. in on-wiki discussion — either responding directly or handing off to Product Manager, Security team, or engineer.

Event Timeline

Thanks for filing this. Triaging.

Waiting for docs access, we'll likely start adding comments there. TY

Waiting for docs access, we'll likely start adding comments there. TY

Does Sidney already have access to those docs? Thanks.

Everyone with an email address should have edit access to that doc now.

Appreciate your patience, Trevor.
You mention a blog post - is that already in the works/shareable? (I looked at the Wikimedia blog and didn't find it there, so assuming it's not published yet)

Thank you for the update, @Elitre! I was just going to ping this, as I've received an email nudge from @JBennett about this project. He will know the target publication date for the blog post, but I think we can move forward with preliminary staff discussions to decide what needs to be brought on wiki and how to present it.

Would it be possible to explore alternative authentication mechanisms instead of using a password?

For instance, perhaps it would be better (as far as security is concerned) to authenticate users on something they have (email, phone number, one time password, etc.) rather than something they know (password)?

This is probably a question for Security rather than us. :)

The proposed changes to the minimum password requirements (or a near-variation of) are live on production for all Wikimedia wikis.

Sadly, this isn't public :(

There are some notes in that document with the Security team that I'm not sure should be public, but here are the requested product changes:

  • Increase minimum password length for all newly created accounts from 1 to 8.
  • Increase minimum password length for all admin accounts from 8 to 10.
  • All newly created accounts and admin accounts must have a password outside the top 100,000 popular passwords. (Current is 100.)
  • When a person creates a new account and their password does not match these requirements, the API or the UI should return an appropriate error message.
  • When an admin logs in with a password that does not match the requirements, they should see a notification that their password does not match the requirements. (This notification already exists.)
  • No change for existing non-admin accounts.

Is there a reason to for increasing the pwlength for new accounts only to 8 ?

Otherwise, I would directly bump to 10 the minimum length both for new users and all admin accounts (I would use even a larger minimum for admins, and we may not want to set a large minimum for everybody, but I see little reason for differentiating between 8 and 10).

Is there a reason to for increasing the pwlength for new accounts only to 8 ?

This is a good question. It's been several months since we discussed these minimums, but if memory serves me correctly there is some research/literature (even on Wikipedia) that shows that 8-characters is a good balance of memorable and secure.

Would love to see some papers on that area.
The links on that section are 10 years old ☹

Looking at the University of Maryland page (which is 21 years old!), and the mention of eight character passwords, they talk a limit of 8-character in the passwords, which is clearly because of the old DES-based crypt(3):

Currently, the maximum password length on many Unix systems is eight characters, but if you want to add a few more characters to make it easier to remember, go ahead. Just bear in mind that anything after the eighth character will be ignored.

Not something that we should worry about. Even the earliest MediaWiki version supported arbitrary-length passwords.☺

Our Security department decided to go with the National Institute of Standards and Technology's latest recommendations, published in June 2017:

The minimum length is suggested on Page 13 and their rationale is on Page 67.

CKoerner_WMF triaged this task as Medium priority.


Thanks, TBollinger

(note: they are pages 13 and 67 are according to the internal document numbering, add 10 pages for the absolute page in the pdf)

Interestingly, SP 800-63b mostly argues that user-chosen entropy is hard to predict and defers to the fact that SP 800-63-2 required user-chosen memorized secrets to be a minimum of 8 characters long. It features a more complex entropy estimation (table A.1) based on Shannon experiments, and the 8 characters limit seem to be the Token reuirement for Level 2 access (Table 6).

I met with @TBolliger and have a meeting to discuss CommRel's support with @JBennett on 7 November. We'll be discussing the first two items in the task description.

  • Create or help Product Manager create & maintain a project page
  • Determine breadth of this consultation and how to best present this work to our users

I'll update the task after the meeting with our proposed plan.

@JBennett and I met today. Here's our suggested communication plan.

  • Create subpage for the project
  • Write blog post (John to do this)
  • Write announcement (Chris to do this)
    • Keep it short and simple, point to project page for full details, and give a place for folks to raise issues with how password change may impact work
      • Ask for translations
    • When ready, send to Village Pumps via MassMessage
      • Send also to wikimedia-l, wikitech-l, wikitech-ambassadors
      • Include Teahouse and other places new folks hang out (because people will have questions and the communities there can help answer)
      • Include in Tech News

I'll share a draft of the announcement in the next few weeks (eventually a subpage under my username as I do for most announcements). I'll also have a draft of the project page up in the same time frame.

I'll update this task once those are ready.

Sounds great, Chris!

I'll go through the Google Doc today and address/resolve the comments.

Policy posted on Meta:

Draft sent to translators for translation assistance.

I will publish this Thursday.


Mailing lists: Wikimedia-l, wikitech-l, Wikitech-ambassadors, cloud-l

On wiki: Village Pumps, Admins (Administrators' newsletter), Tech News

(To be joined by a blog post on

Upon recommendation I have additional sent a message to the stewards-l mailing list (waiting approval) and the Bureaucrats noticeboards.

It's been nearly two weeks since the announcements were sent. Feedback has been given and addressed with support from AHT and Security. The major change (password length T208246) has been made as of Dec 13. I'm resolving this task for the quarter and this phase of assistance. Community Relations is happy to continue working on communicating further security improvements, all you need is to ask. :)

Some stats:

  • Sent to 6 mailing lists (wikimedia-l, wikitech-l, cloud, wikitech-amassadors, and stewards-l)
  • Added to Tech News which is published to 802 wiki pages with translations into 14 languages
  • Posted to Village pumps (630 total), Administrator notice boards (112 total), and Bureaucrats notice boards (29 total). The message was translated to 18 languages (Thank you translators!)
  • The project page saw 1,327 page views since Dec 6th.
  • The policy itself has seen 1,502 page views. It too has been translated; 12 complete translations with about 9 partial translations.
    • Which is amazing as I didn't ask for any translation assistance. Our volunteer translators are good folks who are always eager to help out.

Thank you Chris! Great work on helping us make and communicate the change. 🚀 🙌🏼 🐙

T208246 was the most significant user-facing change for existing users, and T211622 will release in January and I do not think needs and additional communication other than Tech News, by which we'll just use the User-notice Phabricator tag.