Page MenuHomePhabricator
Create Task
Maniphest T214215

MinimumPasswordLengthToLogin error message is unhelpful
Closed, ResolvedPublic
Actions

Assigned To
Tgr
Authored By
dmaza
Jan 18 2019, 11:28 PM
Tags
Referenced Files
F27975665: Screenshot_2019-01-21 Log in - devwiki.png
Jan 21 2019, 3:02 PM
F27942274: Screenshot_2019-01-18 Ingresar - Wikipedia, la enciclopedia libre.png
Jan 18 2019, 11:28 PM
Subscribers
Aklapper
dmaza
gerritbot
matmarex
Reedy
Tgr

Description

Looks related to the forceReset patch https://gerrit.wikimedia.org/r/c/mediawiki/core/+/481819

Unless the intended behavior is to lock out privileged accounts with a password that do not pass the policies I would expect to be taken to a password reset page.

Here is a screenshot with the error message (Passwords must be at least 10 characters long)

Screenshot_2019-01-18 Ingresar - Wikipedia, la enciclopedia libre.png (523×561 px, 30 KB)

Edit: FWIW I was able to reset the password without problems. The issue I'm reporting is that you get an error and no guidance on what to do instead of redirecting you to password reset page

Details

SubjectRepoBranchLines +/-
Improve message for fatal password validity errors on loginmediawiki/coremaster+33 -6
Improve message for fatal password validity errors on loginmediawiki/extensions/CentralAuthmaster+1 -2
Customize query in gerrit

Related Objects

Event Timeline

dmaza created this task.Jan 18 2019, 11:28 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 18 2019, 11:28 PM
dmaza updated the task description. (Show Details)Jan 18 2019, 11:36 PM
Reedy added a project: MediaWiki-Core-AuthManager.Jan 19 2019, 9:46 AM
Reedy added a subscriber: Tgr.
Reedy subscribed.

Yeah, something doesn't sound to be working quite as intended

We shouldn't be enforcing anything just yet as https://gerrit.wikimedia.org/r/#/c/operations/mediawiki-config/+/479570/ isn't publicised/deployed yet

Anomie subscribed.Jan 19 2019, 2:52 PM

I'm guessing this was your account in the "staff" global group?

Password length restrictions set by 'MinimalPasswordLength' already do display a password reset page. gerrit:479570 will just remove the "skip" button for privileged users.

But for the "staff" global group, rOMWC0aa1684076ce: Enforce a 10-byte password for staff users set 'MinimalPasswordLengthToLogin' to 10 which will prevent the login before it gets to the point of displaying the reset page. This is slightly more secure, as it prevents a dormant account with a too-short password from being compromised and the attacker being the one to reset the password.

Reedy added a comment.Jan 19 2019, 3:12 PM
In T214215#4894326, @Anomie wrote:

I'm guessing this was your account in the "staff" global group?

If so, this is invalid and can be made public

Tgr added a comment.Jan 19 2019, 10:13 PM
In T214215#4894170, @Reedy wrote:

We shouldn't be enforcing anything just yet as https://gerrit.wikimedia.org/r/#/c/operations/mediawiki-config/+/479570/ isn't publicised/deployed yet

Also it's going to force password change, not reset. (Same as the current nag screen except there won't be a Skip button.)

Yeah the message could be improved (although gerrit 479570 as written now will remove this check entirely). Also it does not prevent non-fatal errors from being displayed, which results in the weird duplication (since MinimalPasswordLength also runs and has the same message). Not sure if that's worth the effort though.

Tgr renamed this task from Privileged account has a password length of <10 characters and can't log in. to MinimumPasswordLengthToLogin error message is unhelpful.Jan 19 2019, 10:13 PM
Tgr changed the visibility from "Custom Policy" to "Public (No Login Required)".
Tgr removed a project: acl*security.
Restricted Application added a project: acl*security. · View Herald TranscriptJan 19 2019, 10:14 PM
gerritbot subscribed.Jan 20 2019, 1:21 AM

Change 485480 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/core@master] Improve message for fatal password validity errors on login

https://gerrit.wikimedia.org/r/485480

gerritbot added a project: Patch-For-Review.Jan 20 2019, 1:21 AM
Aklapper removed a project: acl*security.Jan 20 2019, 5:26 PM
dmaza added a comment.Jan 21 2019, 2:24 PM
In T214215#4894365, @Reedy wrote:
In T214215#4894326, @Anomie wrote:

I'm guessing this was your account in the "staff" global group?

If so, this is invalid and can be made public

It was my staff account. The error message threw me off. https://gerrit.wikimedia.org/r/485480 seems to address that

dmaza added a comment.Jan 21 2019, 3:02 PM
In T214215#4894705, @Tgr wrote:
In T214215#4894170, @Reedy wrote:

We shouldn't be enforcing anything just yet as https://gerrit.wikimedia.org/r/#/c/operations/mediawiki-config/+/479570/ isn't publicised/deployed yet

Also it's going to force password change, not reset. (Same as the current nag screen except there won't be a Skip button.)

Yeah the message could be improved (although gerrit 479570 as written now will remove this check entirely). Also it does not prevent non-fatal errors from being displayed, which results in the weird duplication (since MinimalPasswordLength also runs and has the same message). Not sure if that's worth the effort though.

Maybe it is not high priority but I would leave a ticket open somewhere to take care of the duplication.

FWIW I've tested https://gerrit.wikimedia.org/r/485480 and I get the two messages but apparently with different min lengths. It might be my local setup

Screenshot_2019-01-21 Log in - devwiki.png (175×290 px, 8 KB)

Anomie added a comment.Jan 21 2019, 3:38 PM
In T214215#4896712, @dmaza wrote:

FWIW I've tested https://gerrit.wikimedia.org/r/485480 and I get the two messages but apparently with different min lengths. It might be my local setup

Screenshot_2019-01-21 Log in - devwiki.png (175×290 px, 8 KB)

Looks like you have MinimalPasswordLength set to 10 and MinimalPasswordLengthToLogin set to 7 there, or vice versa.

Tgr added a comment.Jan 22 2019, 9:18 AM
In T214215#4896712, @dmaza wrote:

Maybe it is not high priority but I would leave a ticket open somewhere to take care of the duplication.

Not sure what would be a reasonable way to handle that. Those are two different messages from two different checks, as far as MediaWiki is concerned.

Tgr mentioned this in T233119: Intended use of MinimumPasswordLengthToLogin not so clear.Sep 17 2019, 9:06 PM
gerritbot added a comment.Sep 17 2019, 9:07 PM

Change 485480 had a related patch set uploaded (by Reedy; owner: Gergő Tisza):
[mediawiki/core@master] Improve message for fatal password validity errors on login

https://gerrit.wikimedia.org/r/485480

Reedy triaged this task as High priority.Sep 17 2019, 9:07 PM
Anomie added a project: Platform Team Workboards (Clinic Duty Team).Sep 18 2019, 9:04 PM
Anomie moved this task from Inbox to External Code Review In Progress on the Platform Team Workboards (Clinic Duty Team) board.Sep 18 2019, 9:09 PM
WDoranWMF moved this task from External Code Review In Progress to External Code Review Completed on the Platform Team Workboards (Clinic Duty Team) board.Mar 3 2020, 8:48 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:01 PM
Pppery edited projects, added Patch-Needs-Improvement, I18n; removed Patch-For-Review.Mar 30 2023, 12:30 AM
Winston_Sung moved this task from Untriaged to Message improvement suggestions on the I18n board.Aug 9 2023, 12:59 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptAug 9 2023, 12:59 PM
pmiazga moved this task from Inbox, needs triage to Blocked/waiting on the MediaWiki-Platform-Team board.Aug 21 2023, 1:33 PM
Tgr claimed this task.Aug 28 2023, 11:12 AM
gerritbot added a comment.Aug 28 2023, 1:01 PM

Change 952856 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@master] Improve message for fatal password validity errors on login

https://gerrit.wikimedia.org/r/952856

gerritbot added a project: Patch-For-Review.Aug 28 2023, 1:01 PM
Restricted Application removed a project: Patch-Needs-Improvement. · View Herald TranscriptAug 28 2023, 1:01 PM
larissagaulia moved this task from Blocked/waiting to Current Sprint on the MediaWiki-Platform-Team board.Aug 28 2023, 1:36 PM
matmarex added subscribers: Anomie, matmarex.Aug 30 2023, 7:59 PM
In T214215#4896712, @dmaza wrote:

FWIW I've tested https://gerrit.wikimedia.org/r/485480 and I get the two messages but apparently with different min lengths. It might be my local setup

Screenshot_2019-01-21 Log in - devwiki.png (175×290 px, 8 KB)

In T214215#4896767, @Anomie wrote:

Looks like you have MinimalPasswordLength set to 10 and MinimalPasswordLengthToLogin set to 7 there, or vice versa.

In T214215#4898082, @Tgr wrote:

Not sure what would be a reasonable way to handle that. Those are two different messages from two different checks, as far as MediaWiki is concerned.

If they're two different messages, I think they should actually be different messages. Currently both checkMinimalPasswordLength() and checkMinimumPasswordLengthToLogin() use the 'passwordtooshort' localisation message. I suggest splitting it into two, worded along the lines of:

  • New passwords must be at least {{PLURAL:$1|1 character|$1 characters}}.
  • You must change your password to be at least {{PLURAL:$1|1 character|$1 characters}} to log in.

(Still a bit awkward if you get both of these errors, but better than two identical messages with a different number.)

Tgr added a comment.Sep 4 2023, 12:57 PM

There is no guarantee MinimalPasswordLengthToLogin is shown on login. It can show up when trying to register or changing your password.
Likewise, MinimalPasswordLength doesn't only show when you are trying to set a new password. When the suggestChangeOnLogin policy flag is set, the error is shown on login with an option to change the current password.

gerritbot added a comment.Sep 5 2023, 10:44 PM

Change 485480 merged by jenkins-bot:

[mediawiki/core@master] Improve message for fatal password validity errors on login

https://gerrit.wikimedia.org/r/485480

gerritbot added a comment.Sep 5 2023, 10:44 PM

Change 952856 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Improve message for fatal password validity errors on login

https://gerrit.wikimedia.org/r/952856

matmarex closed this task as Resolved.Sep 5 2023, 10:48 PM
ReleaseTaggerBot added a project: MW-1.41-notes (1.41.0-wmf.26; 2023-09-12).Sep 5 2023, 11:00 PM
Anomie unsubscribed.Sep 9 2023, 2:59 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL