We need to modify the required lengths of passwords. Specifically, these changes should be made:
- Increase minimum password length for all newly created accounts from 1 to 8.
- Increase minimum password length for all permissioned* accounts from 8 to 10.
- When a person creates a new account and their password does not match these requirements, the API or the UI should return an appropriate error message.
- These error messages already exist, but should be updated to display the new accurate information.
- When an admin logs in with a password that does not match the requirements, they should see a notification that their password does not match the requirements.
- This notification already exists, but should up updated to display the new accurate information.
- No change for existing non-admin accounts.
------
**Notes**
- The defaults for password policy are [[ https://gerrit.wikimedia.org/g/mediawiki/core/+/03157c14a9cc29bc4b40dd43f465fd199d65c1bc/includes/DefaultSettings.php#4507 | here in `DefaultSettings.php` ]]. Some policies are changed dynamically in [[ https://noc.wikimedia.org/conf/highlight.php?file=CommonSettings.php | CommonSettings.php ]].
- We will need to ensure the error messages work as described in the requirements above.
- We can provide new defaults in the MW install and we can confirm that the wikis we maintain honor those defaults. It's possible that some wikis will have changed these defaults or provided overrides. This might be a good place for communication.
- Permissioned groups that need a minimum of 10: Administrators, Interface administrators, Bureaucrats, Oversighters, Central notice administrators, Global renamers, WMF Office IT, WMF Support and Safety, CheckUsers, Staff, and Stewards.
Further research and comments are located in: T208065 (That task includes the password blacklist work which is handled elsewhere and not part of this task.)
------
**Acceptance criteria**
* New password minimum length of 8 for new accounts is enforced on account creation and password reset
* New password minimum length of 10 for permissioned account is enforced on login
* Error messages display as needed and display accurate information
* No user-facing change for non-admin account (unless they voluntarily change their password)