Page MenuHomePhabricator

Disable PasswordCannotBePopular in wmf production
Closed, ResolvedPublic


PasswordCannotBePopular is deprecated since 1.33, and PasswordNotInLargeBlacklist should be used instead

Currently PasswordCannotBePopular affects non privileged users, but is adding minimal to zero improved security in the grand scheme of things. Should we just remove it?

Ideally we should be rolling out PasswordNotInLargeBlacklist everywhere, but that's somewhat of a breaking change... And probably needs communication

This is somewhat a followup to T208441: 👩‍👦‍👦 AHT password strengthing work, 2018/19, and I guess T151425: Enlarge Popular Password File to 100,000 entries and enforce the new minimum in the config does subsumes this...?

Event Timeline

Reedy updated the task description. (Show Details)
Reedy assigned this task to Jdforrester-WMF.

This has actually been done, the patch to wmf-config doing it specifically in T151425

It does have some leftover code in CommonSettings.php, but that'll go away eventually