Page MenuHomePhabricator
Create Task
Maniphest T211622

Change password length requirement and ensure enforcement for non-privileged users (from 1 to 8)
Closed, ResolvedPublic2 Estimated Story Points
Actions

Description

👯‍♂️ See also: T208246: Change password length requirement and ensure enforcement for privileged users (from 8 to 10)

🛑 This ticket is blocked by T211621: The 'your password is weak' message should display on log in for privileged accounts only

Info

We need to modify the required lengths of passwords. Specifically, these changes should be made:

  • Increase minimum password length for all non-privileged accounts from 1 to 8.
  • When a person creates a new account and their password does not match these requirements, the API or the UI should return an appropriate error message.
    • These error messages already exist, but should be updated to display the new accurate information.
  • If a non-privileged user logs in with a password that does not meet these requirements, they should not be messaged about their password strength. (See T211621)
  • If a non-privileged user resets their password, the new password must meet the latest requirements

Acceptance criteria

  • New password minimum length of 8 for new accounts is enforced on account creation and password reset
  • Error messages display as needed and display accurate information
  • No other user-facing change for non-privileged accounts

Details

SubjectRepoBranchLines +/-
Require an 8-byte new password for all usersoperations/mediawiki-configmaster+2 -0
Enforce 8 char password length requirements for non-privileged usersoperations/mediawiki-configmaster+5 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

TBolliger changed the task status from Open to Stalled.Dec 10 2018, 7:51 PM
TBolliger triaged this task as High priority.
TBolliger created this task.
TBolliger mentioned this in T208246: Change password length requirement and ensure enforcement for privileged users (from 8 to 10).
TBolliger moved this task from Untriaged to Triage/To be Estimated on the Anti-Harassment board.
AntiCompositeNumber subscribed.Dec 10 2018, 8:35 PM
gerritbot subscribed.Dec 14 2018, 12:01 AM

Change 479571 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[operations/mediawiki-config@master] Require an 8-byte new password for all users

https://gerrit.wikimedia.org/r/479571

gerritbot added a project: Patch-For-Review.Dec 14 2018, 12:01 AM
Tgr subscribed.Dec 17 2018, 7:22 AM
TBolliger mentioned this in T205931: Specialist support for 2018/19 password strengthening project.Dec 19 2018, 5:50 PM
TBolliger moved this task from Triage/To be Estimated to Cards ready for development on the Anti-Harassment board.Jan 14 2019, 7:55 PM
TBolliger set the point value for this task to 2.
TBolliger moved this task from Cards ready for development to Dalet — ד on the Anti-Harassment board.Feb 13 2019, 7:50 PM
TBolliger edited projects, added Anti-Harassment (Dalet — ד); removed Anti-Harassment.
TBolliger edited projects, added Anti-Harassment (He — ה); removed Anti-Harassment (Dalet — ד).Feb 27 2019, 7:57 PM
dbarratt changed the edit policy from "Custom Policy" to "All Users".Mar 12 2019, 7:09 PM
dmaza claimed this task.Mar 12 2019, 7:18 PM
gerritbot added a comment.Mar 13 2019, 4:41 PM

Change 496202 had a related patch set uploaded (by Dmaza; owner: Dmaza):
[operations/mediawiki-config@master] Enforce 8 char password length requirements for non-privileged users

https://gerrit.wikimedia.org/r/496202

TBolliger edited projects, added Anti-Harassment (Vav — ו); removed Anti-Harassment (He — ה).Mar 13 2019, 7:07 PM
dmaza moved this task from Ready to In Progress on the Anti-Harassment (Vav — ו) board.Mar 13 2019, 7:11 PM
dbarratt subscribed.Mar 14 2019, 6:14 PM

This change is live on Beta

TBolliger mentioned this in T151425: Enlarge Popular Password File to 100,000 entries and enforce the new minimum in the config.Mar 14 2019, 10:00 PM
Niharika changed the task status from Stalled to Open.Mar 17 2019, 6:23 PM
dmaza moved this task from In Progress to Review on the Anti-Harassment (Vav — ו) board.Mar 18 2019, 3:59 PM
gerritbot added a comment.Mar 25 2019, 6:10 PM

Change 496202 merged by jenkins-bot:
[operations/mediawiki-config@master] Enforce 8 char password length requirements for non-privileged users

https://gerrit.wikimedia.org/r/496202

Stashbot added a comment.Mar 25 2019, 6:15 PM

Mentioned in SAL (#wikimedia-operations) [2019-03-25T18:15:26Z] <dcausse@deploy1001> Synchronized wmf-config/CommonSettings.php: T211622: Enforce 8 char password length requirements for non-privileged users (duration: 00m 50s)

dmaza moved this task from Review to QA/Testing on the Anti-Harassment (Vav — ו) board.Mar 25 2019, 6:39 PM
dmaza moved this task from QA/Testing to Done on the Anti-Harassment (Vav — ו) board.
dmaza closed this task as Resolved.Mar 25 2019, 6:41 PM
gerritbot added a comment.Aug 6 2019, 5:54 PM

Change 479571 abandoned by Jforrester:
Require an 8-byte new password for all users

Reason:
Implemented already.

https://gerrit.wikimedia.org/r/479571

Maintenance_bot removed a project: Patch-For-Review.Aug 6 2019, 6:10 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL