Page MenuHomePhabricator

Determine new password requirements for MediaWiki core
Open, MediumPublic


There has been a fair amount of work recently to increase password requirements (T151425: Enlarge Popular Password File to 100,000 entries and enforce the new minimum in the config adds a new, larger password blacklist; T211621: The 'your password is weak' message should display on log in for privileged accounts only adds a flag to hide password warnings on login, thereby making changes less disruptive; T118774: No way to force a user to change their password if it's invalid adds a flag to force password change on login for privileged accounts) and building on that we'll soon raise password requirements for Wikimedia wikis (privileged accounts: min length 8 -> 10, blacklist size: 10K -> 100K, force flag on; normal accounts: min length 1 -> 8, blacklist size 100 -> 100K, hide flag on).

What should the core settings be? And how do we communicate them to affected users / wiki owners?
(Some changes already happened: 414603 increased the blacklist size from 25 to 100K for privileged users.)

FWIW the NIST recommendations are 8 character minimum length and checking the password against "a list that contains values known to be commonly-used, expected, or compromised" (doesn't really go into specifics).

See also T211550: Password length check should count unicode characters.

Event Timeline

T151425 brings the blacklist to 100K, patch to MW core will land in 1.34...

chasemp triaged this task as Medium priority.Dec 9 2019, 4:26 PM