Page MenuHomePhabricator
Create Task
Maniphest T241845

Create new password policy to check if a password is a substring of a username
Closed, ResolvedPublicSecurity
Actions

Description

It was noticed that wiki accounts are being created with username patterns along the lines of "The password to this account is xxx". Some examples as noticed by @Bsadowski1:

  1. The_password_to_this_account_is_aedanlorfinkhasamajorcrushonpauldohertyssister
  2. The_password_to_this_account_is_nnnnnnn
  3. My_password_is_literally_just_password

(and many more)

There are plenty of clever ways to do abusive things like this where it becomes difficult for programmatic checks to be effective. But we should, at the very least, add a new password check similar to the existing PasswordCannotMatchUsername which checks for plain text passwords as substrings of the corresponding username.

Note: not entirely sure if this task should be private.

Details

Author Affiliation
WMF Technology Dept
SubjectRepoBranchLines +/-
Password policy to check if a password is a substring of a usernamemediawiki/coremaster+69 -0
Customize query in gerrit

Related Objects

Event Timeline

sbassett created this task.Jan 3 2020, 4:08 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 3 2020, 4:08 PM
sbassett triaged this task as Medium priority.Jan 3 2020, 4:09 PM
sbassett added projects: Security-Team, Vuln-Infoleak.
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)
sbassett added subscribers: Reedy, chasemp, JFishback_WMF.
sbassett updated the task description. (Show Details)Jan 3 2020, 4:12 PM
sbassett added a subscriber: MarcoAurelio.Jan 3 2020, 5:07 PM
sbassett renamed this task from Create new password policy to detect if a password is a substring of a username to Create new password policy to check if a password is a substring of a username.Jan 3 2020, 6:11 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Jan 3 2020, 7:45 PM
MarcoAurelio changed the subtype of this task from "Task" to "Security Issue".Jan 5 2020, 7:03 PM
sbassett added a project: user-sbassett.Jan 6 2020, 4:25 PM
sbassett moved this task from Backlog / Other to Operational issues on the acl*security board.Jan 6 2020, 4:28 PM
sbassett moved this task from Incoming to In Progress on the Security-Team board.
sbassett moved this task from Backlog to In Progress on the user-sbassett board.
sbassett added a comment.Jan 6 2020, 5:37 PM

Talked to @Reedy - we were thinking this could probably go through gerrit, especially if we got a patch up today and merged before the train this week. I'm not certain a security patch makes sense here, since there's a potential slippery-slope argument around PasswordPolicyChecks.php where no new check should ever be publicly added. Which, unless it's to mitigate a more serious, ongoing attack, seems like overkill IMO.

sbassett closed this task as Resolved.EditedJan 14 2020, 4:56 PM
sbassett claimed this task.

Patch merged. Should ride this week's train. Will file follow-up task suggesting removal of checkPasswordCannotMatchUsername.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 14 2020, 4:56 PM
sbassett moved this task from Operational issues to Done on the acl*security board.
sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.
sbassett moved this task from In Progress to Done on the user-sbassett board.
sbassett mentioned this in T242768: Remove checkPasswordCannotMatchUsername Password Policy check.Jan 14 2020, 5:01 PM
Aklapper added a project: MediaWiki-General.Jan 14 2020, 7:27 PM
chasemp added a project: Security.Feb 10 2020, 10:56 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:16 PM
sbassett changed Author Affiliation from N/A to WMF Technology Dept.Sep 7 2021, 2:31 PM
sbassett updated the task description. (Show Details)
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL