Last modified: 2014-04-25 09:38:21 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 3348 - Passwords should be checked for strength before being set
Passwords should be checked for strength before being set
Status: PATCH_TO_REVIEW
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
unspecified
All All
: Normal enhancement with 3 votes (vote)
: ---
Assigned To: Nobody - You can work on this!
:
: 9507 9834 (view as bug list)
Depends on: 621
Blocks: 9816
  Show dependency treegraph
 
Reported: 2005-09-03 23:43 UTC by Neil Harris
Modified: 2014-04-25 09:38 UTC (History)
10 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Neil Harris 2005-09-03 23:43:51 UTC
With increasing numbers of Wikipedia user accounts, a significant number of
users will have trivial passwords. This can and has been exploited by vandals. 

To prevent this, passwords should be subjected to checking by at least a simple
password checker/cracker before being allowed to be set by a user, to prevent
them from using (for example) a common dictionary word, or a common string like
"123456" or "qwerty". 

Many suitable free software password checkers exist, including pam_passwdqc and
Passwd+.
Comment 1 Rob Church 2006-05-16 03:30:56 UTC
It might be wise to implement this in hooks and then have an extension available
(which we could put live on Wikimedia sites).
Comment 2 Neil Harris 2006-05-17 11:28:26 UTC
That's an excellent idea. That way, there's minimal impact on MediaWiki, and the
greatest possible choice for end users. Any hook should not only provide the
username as well as the password to be checked, because some people will use
their username as the basis for all or part of their password. 
Comment 3 Aryeh Gregor (not reading bugmail, please e-mail directly) 2007-04-06 00:34:39 UTC
*** Bug 9507 has been marked as a duplicate of this bug. ***
Comment 4 Aryeh Gregor (not reading bugmail, please e-mail directly) 2007-04-06 00:35:06 UTC
Particular suggestion (from bug 9507): ban passwords that are the same as the user's login.
Comment 5 Brion Vibber 2007-04-26 21:46:13 UTC
Have implemented the password-same-name check in r21640. More general changes
may still remain to do... There is a hook in User::isValidPassword(), but note
that it doesn't currently pass other user information (name, email etc) which
might be desired by a strength checker.
Comment 6 Aryeh Gregor (not reading bugmail, please e-mail directly) 2007-05-08 00:33:02 UTC
*** Bug 9834 has been marked as a duplicate of this bug. ***
Comment 7 Chad H. 2008-06-23 14:55:03 UTC
Extension:PasswordStrength committed in 36573.
Comment 8 Tyler Romeo 2008-06-28 01:11:39 UTC
^demon said 
Comment 9 Rd232 2011-07-15 23:15:42 UTC
Extension:PasswordStrength does not appear to exist. Reopened per en.wp discussion at https://secure.wikimedia.org/wikipedia/en/wiki/Wikipedia:Village_pump_%28proposals%29/Account_security#Improve_password_strength
Comment 10 Casey Brown 2011-07-15 23:24:15 UTC
It looks like PasswordStrength was deleted in r47762 per bug 17604. [[mw:Extension:SecurePasswords]] looks like a newer extension that accomplishes many of the same things.
Comment 11 Rd232 2011-07-16 21:01:51 UTC
OK - I see now in its description "as well as a password strength checker", but there is zero documentation of this that I can find.
Comment 12 tomashnyk 2011-11-14 11:55:50 UTC
If this is implemented, it should be make sure the requirements for the password are shown when opening a new account (there is nothing more frustrating then typing a 4-character password and being told it must be longer, then typing in 6-characer password and being told the same, finally typing an 8-character long password and being told it must have at least one number and so on). I think it should be shown when loging in as well - often people have different password strengths and do nto remember which one is used on a given site.
Comment 13 Tyler Romeo 2011-11-14 17:57:00 UTC
(In reply to comment #12)
> If this is implemented, it should be make sure the requirements for the
> password are shown when opening a new account (there is nothing more
> frustrating then typing a 4-character password and being told it must be
> longer, then typing in 6-characer password and being told the same, finally
> typing an 8-character long password and being told it must have at least one
> number and so on). I think it should be shown when loging in as well - often
> people have different password strengths and do nto remember which one is used
> on a given site.

Agreed
Comment 14 Tony Thomas 2014-03-21 12:57:11 UTC
Will adding a test for: 
*Password too short! ( < 8) 
*Password too long!  ( > 20 )
*Password must include at least one number! ( !preg_match("#[0-9]+#", $pwd )
*Password must include at least one letter! ( !preg_match("#[a-z]+#", $pwd ) 
*Password must include at least one CAPS! ( !preg_match("#[A-Z]+#", $pwd )
*Password must include at least one symbol ( !preg_match("#\W+#", $pwd )

suffice ?
Comment 15 Tony Thomas 2014-03-21 13:13:15 UTC
Due to community feedback, and consensus, I think only 
*Password too short! ( < 8)  is required
Comment 16 Andre Klapper 2014-03-21 13:36:27 UTC
(In reply to Tony Thomas from comment #15)
> Due to community feedback, and consensus

Links welcome, for transparency.
Comment 17 Tony Thomas 2014-03-21 13:46:05 UTC
> Links welcome, for transparency.
>Andre, that was from #wikimedia-dev, I can attach the chat logs, if necessary. 
The includes/DefaultSettings.php sets 
$wgMinimalPasswordLength = 1;

This can be edited to a minimum level, say 8. And the minimum requirement message needs to come up near to the Password column.
Comment 18 Gerrit Notification Bot 2014-03-21 16:33:42 UTC
Change 120025 had a related patch set uploaded by 01tonythomas:
Minimum password length for new account set to 8

https://gerrit.wikimedia.org/r/120025
Comment 19 Gerrit Notification Bot 2014-03-21 18:48:42 UTC
Change 120025 abandoned by 01tonythomas:
Minimum password length for new account set to 8

https://gerrit.wikimedia.org/r/120025
Comment 20 Elitre 2014-04-25 09:38:21 UTC
I appreciate when websites show me an evaluation of the password I just entered.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links