Page MenuHomePhabricator
Create Task
Maniphest T218449

Determine new password requirements for MediaWiki core
Open, MediumPublic
Actions

Description

There has been a fair amount of work recently to increase password requirements (T151425: Enlarge Popular Password File to 100,000 entries and enforce the new minimum in the config adds a new, larger password blacklist; T211621: The 'your password is weak' message should display on log in for privileged accounts only adds a flag to hide password warnings on login, thereby making changes less disruptive; T118774: No way to force a user to change their password if it's invalid adds a flag to force password change on login for privileged accounts) and building on that we'll soon raise password requirements for Wikimedia wikis (privileged accounts: min length 8 -> 10, blacklist size: 10K -> 100K, force flag on; normal accounts: min length 1 -> 8, blacklist size 100 -> 100K, hide flag on).

What should the core settings be? And how do we communicate them to affected users / wiki owners?
(Some changes already happened: 414603 increased the blacklist size from 25 to 100K for privileged users.)

FWIW the NIST recommendations are 8 character minimum length and checking the password against "a list that contains values known to be commonly-used, expected, or compromised" (doesn't really go into specifics).

See also T211550: Password length check should count unicode characters.

Related Objects

Event Timeline

Tgr created this task.Mar 15 2019, 10:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 15 2019, 10:09 PM
Tgr mentioned this in T151425: Enlarge Popular Password File to 100,000 entries and enforce the new minimum in the config.Mar 15 2019, 10:11 PM
Jdforrester-WMF subscribed.Mar 15 2019, 10:33 PM
Aklapper added a comment.Mar 15 2019, 10:57 PM

(Is MediaWiki-extensions-Auth_remoteuser a typo and should be MediaWiki-Core-AuthManager ?)

Tgr edited projects, added MediaWiki-Core-AuthManager; removed MediaWiki-extensions-Auth_remoteuser.Mar 16 2019, 12:17 AM
In T218449#5028787, @Aklapper wrote:

(Is MediaWiki-extensions-Auth_remoteuser a typo and should be MediaWiki-Core-AuthManager ?)

Yup, thanks.

Niharika subscribed.Mar 17 2019, 6:47 PM
CCicalese_WMF removed a project: MediaWiki-Stakeholders-Group.Jul 30 2019, 11:18 PM
Reedy subscribed.Sep 5 2019, 11:17 PM

T151425 brings the blacklist to 100K, patch to MW core will land in 1.34...

chasemp triaged this task as Medium priority.Dec 9 2019, 4:26 PM
chasemp added a project: Security.Feb 10 2020, 10:57 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:06 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL