👯♂️ See also: T211622: Change password length requirement and ensure enforcement for non-privileged users (from 1 to 8)
We need to modify the required lengths of passwords. Specifically, these changes should be made:
- Increase minimum password length for all privileged* accounts from 8 to 10.
- When an admin logs in with a password that does not match the requirements, they should see a notification that their password does not match the requirements.
- This notification already exists, but should up updated to display the new accurate information.
Notes
- The defaults for password policy are [[ https://gerrit.wikimedia.org/g/mediawiki/core/+/03157c14a9cc29bc4b40dd43f465fd199d65c1bc/includes/DefaultSettings.php#4507 | here in DefaultSettings.php ]]. Some policies are changed dynamically in CommonSettings.php.
- We will need to ensure the error messages work as described in the requirements above.
- We can provide new defaults in the MW install and we can confirm that the wikis we maintain honor those defaults. It's possible that some wikis will have changed these defaults or provided overrides. This might be a good place for communication.
- Permissioned groups that need a minimum of 10: Administrators, Interface administrators, Bureaucrats, Oversighters, Central notice administrators, Global renamers, WMF Office IT, WMF Support and Safety, CheckUsers, Staff, and Stewards.
Further research and comments are located in: T208065 (That task includes the password blacklist work which is handled elsewhere and not part of this task.)
Acceptance criteria
- New password minimum length of 10 for privileged account is enforced on login
- Error messages display as needed and display accurate information