Page MenuHomePhabricator

Technical investigation for password changes
Closed, ResolvedPublic

Description

Look into the requested password changes outlined in T205931: Specialist support for 2018/19 password strengthening project and prepare a technical plan and needed Phabricator tickets for implementing the changes.

Requested changes

  • Increase minimum password length for all newly created accounts from 1 to 8.
  • Increase minimum password length for all admin accounts from 8 to 10.
  • All newly created accounts and admin accounts must have a password outside the top 100,000 popular passwords. (Current is 100.) — Handled by T151425.
  • When a person creates a new account and their password does not match these requirements, the API or the UI should return an appropriate error message.
  • When an admin logs in with a password that does not match the requirements, they should see a notification that their password does not match the requirements. (This notification already exists.)
  • No change for existing non-admin accounts.

Things to investigate/do

  • Changing password length
  • Expanding password library to 100k. — Handled by T151425.
  • Create needed Phab tasks for Anti-Harassment backlog

Event Timeline

Restricted Application added subscribers: MGChecker, Aklapper. · View Herald TranscriptOct 26 2018, 4:05 PM
Elitre added a subscriber: Elitre.Oct 26 2018, 5:21 PM
TBolliger updated the task description. (Show Details)Oct 26 2018, 9:14 PM
aezell added a subscriber: aezell.EditedOct 26 2018, 11:07 PM

The defaults for password policy are here in DefaultSettings.php.

The file containing popular passwords is defined in DefaultSettings.php.

The popular password file is created by createCommonPasswordCdb.php. The result is by default written to /includes/password/commonpasswords.cdb. There are comments in that PHP file with example input files.

The code to see if a given password matches the common/popular list is located in PasswordPolicyChecks.php. As this lookup is a sort of DB query, I can't imagine the size of the DB we are talking about will really make much of a difference.

Here are some issues I foresee:

  • We can provide new defaults in the MW install and we can confirm that the wikis we maintain honor those defaults. It's possible that some wikis will have changed these defaults or provided overrides.
  • I did see some code that seems to indicate there is a Special:PasswordPolicies page that could allow someone to create new policies which may override these default settings.
  • As the common/popular password "database" is generated on install or maintenance, we can likely regenerate it for the wikis we maintain. Other wikis might need instructions or guidance on how to do this. It's not clear to me exactly how this would be done as part of release. The code is in the maintenance directory so I assume there's a way to have that "maintenance" run during release.

Looking on the English Wikipedia, Special:PasswordPolicies just lists the current per-usergroup policies defined for the wiki, similar to how Special:ListGroupRights behaves. (S:PasswordPolicies also isn't present on a 1.30 wiki I checked first, so I'm guessing it was added in 1.31 or later?)

S:PasswordPolicies also isn't present on a 1.30 wiki I checked first, so I'm guessing it was added in 1.31 or later?

https://gerrit.wikimedia.org/r/#/c/mediawiki/core/+/392278/ shows it was included in 1.32.0-wmf.20.

Looking on the English Wikipedia, Special:PasswordPolicies just lists the current per-usergroup policies defined for the wiki

That's good to hear. At least we know that policies can't be created that would override the ones we'd like to modify. I didn't read that code too closely so thanks for verifying this.

aezell claimed this task.Oct 26 2018, 11:34 PM
Reedy added a subscriber: Reedy.Oct 27 2018, 8:58 AM

All newly created accounts and admin accounts must have a password outside the top 100,000 popular passwords. (Current is 100.)

That is done by T151425: Enlarge Popular Password File to 100,000 entries and enforce the new minimum in the config and the two patches in gerrit

@Reedy Thanks for pointing us to that and for getting that work done. I'll update the description here to not include that work.

aezell updated the task description. (Show Details)Oct 29 2018, 5:10 PM
aezell updated the task description. (Show Details)
TBolliger updated the task description. (Show Details)Oct 29 2018, 5:21 PM
TBolliger updated the task description. (Show Details)
aezell updated the task description. (Show Details)Oct 29 2018, 5:36 PM
TBolliger closed this task as Resolved.Oct 29 2018, 5:38 PM
TBolliger moved this task from Ready to Done on the Anti-Harassment (AHT Sprint 32) board.