Page MenuHomePhabricator

Replace PasswordCannotBePopular with PasswordNotInLargeBlacklist on Wikimedia wikis
Closed, DuplicatePublicPRODUCTION ERROR


Wikimedia wikis use PasswordCannotBePopular => 100 for normal users (for privileged users the more powerful PasswordNotInLargeBlacklist is used instead). PasswordCannotBePopular has been deprecated in core and should be replaced (it's spamming the log with deprecation warnings).

PasswordCannotBePopular check the password against the top X entries of a common passwords list, ranked by popularity. PasswordNotInLargeBlacklist checks against a list of 100.000 common passwords; it uses a Bloom filter so it's not possible to only check against a subset of the list. So the replacement will make the password requirements significantly stronger.

So we should either

  • notify users about the upcoming change, wait some time and replace the check
  • do the same, but flag the check so that it will not be applied on login (in a sense this will weaken the existing policy, although only for users who have been getting warnings until now, so the effect should be minimal)
  • undo the deprecation

Event Timeline

Tgr created this task.Mar 14 2019, 8:52 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 14 2019, 8:52 PM
Tgr added a comment.Mar 14 2019, 8:54 PM

(Sort of related: {T148238}, although it would not help with old accounts of course.)

mmodell changed the subtype of this task from "Task" to "Production Error".Aug 28 2019, 11:07 PM