Page MenuHomePhabricator

Create new password policy to check if a password is a substring of a username
Closed, ResolvedPublicSecurity

Description

It was noticed that wiki accounts are being created with username patterns along the lines of "The password to this account is xxx". Some examples as noticed by @Bsadowski1:

  1. The_password_to_this_account_is_aedanlorfinkhasamajorcrushonpauldohertyssister
  2. The_password_to_this_account_is_nnnnnnn
  3. My_password_is_literally_just_password

(and many more)

There are plenty of clever ways to do abusive things like this where it becomes difficult for programmatic checks to be effective. But we should, at the very least, add a new password check similar to the existing [[ https://gerrit.wikimedia.org/g/mediawiki/core/+/a0673d5913f62e1dcff7bf5a25dfea198c83a1eb/includes/password/PasswordPolicyChecks.php#95 | PasswordCannotMatchUsername ]] which checks for plain text passwords as substrings of the corresponding username.

Note: not entirely sure if this task should be private.

Event Timeline

sbassett created this task.Jan 3 2020, 4:08 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 3 2020, 4:08 PM
sbassett triaged this task as Medium priority.Jan 3 2020, 4:09 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)
sbassett added subscribers: Reedy, chasemp, JFishback_WMF.
sbassett updated the task description. (Show Details)Jan 3 2020, 4:12 PM
sbassett renamed this task from Create new password policy to detect if a password is a substring of a username to Create new password policy to check if a password is a substring of a username.Jan 3 2020, 6:11 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Jan 3 2020, 7:45 PM
MarcoAurelio changed the subtype of this task from "Task" to "Security Issue".Jan 5 2020, 7:03 PM
sbassett moved this task from Incoming to In Progress on the Security-Team board.
sbassett moved this task from Backlog to In Progress on the user-sbassett board.

Talked to @Reedy - we were thinking this could probably go through gerrit, especially if we got a patch up today and merged before the train this week. I'm not certain a security patch makes sense here, since there's a potential slippery-slope argument around PasswordPolicyChecks.php where no new check should ever be publicly added. Which, unless it's to mitigate a more serious, ongoing attack, seems like overkill IMO.

sbassett closed this task as Resolved.EditedJan 14 2020, 4:56 PM
sbassett claimed this task.

Patch merged. Should ride this week's train. Will file follow-up task suggesting removal of checkPasswordCannotMatchUsername.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 14 2020, 4:56 PM
sbassett moved this task from Operational issues to Done on the acl*security board.
sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.
sbassett moved this task from In Progress to Done on the user-sbassett board.