Require a minimum password length at account creation
Closed, ResolvedPublic

Description

Author: elian

Description:
For security, passwords should be of reasonable length. Disallow empty and too
short passwords.


Version: unspecified
Severity: enhancement

bzimport added a subscriber: Unknown Object (MLST).
bzimport set Reference to bz621.
bzimport created this task.Via LegacyOct 2 2004, 8:15 PM
bzimport added a comment.Via ConduitJan 8 2005, 6:29 PM

JoostMeerten wrote:

At the very *least* disallow blank passwords. A semi-secure password module
shouldn't be that hard to implement either (it has been done many times before).
When all users were equal, this didn't matter that much. Now that we have
admins, it does. We should be glad nobody with the required technical expertise
has desired to cause big problems for Wikipedia. That's no reason to remain
inactive.

I heard on #wikipedia that according to a survey by Tim, hundreds of users had
trivial passwords -- blank passwords, "password", "secret" and presumably the
age-old favorite <username> as well. It didn't say how many of these were
admins, and I don't care to guess.

User names are not secret. I could easily use anonymous proxies to hack as many
accounts as possible. Aside from the possibilities for vandalism, I could use
such accounts for all sorts of identity confusion. This would not be good for
the community.

bzimport added a comment.Via ConduitJan 26 2005, 4:45 AM

tietew-mediazilla wrote:

In ja.wikipedia, an account with empty password was hijacked
and used to vandal.

At least, empty password MUST be denied ASAP.

Wikinaut added a comment.Via ConduitJan 26 2005, 7:29 AM

(In reply to comment #2)

At least, empty password MUST be denied ASAP.

For your information:

I disallow empty passwords in the ENotif and EAuthent patch, which *is* in CVS
HEAD version (for 1.5 version). It does not yet check the length of the passwords.

bzimport added a comment.Via ConduitJan 30 2005, 7:39 PM

jeluf wrote:

Fixed in CVS HEAD.

MZMcBride added a comment.Via ConduitFeb 7 2014, 12:35 AM

(In reply to comment #4)

Fixed in CVS HEAD.

In r7317 specifically.

MZMcBride added a comment.Via ConduitFeb 7 2014, 12:51 AM

Related links:

  • [[mw:Manual:$wgMinimalPasswordLength]]
  • r48968
Dereckson added a subscriber: Dereckson.Via WebNov 23 2014, 10:35 PM

See also T20222.

Add Comment