Last modified: 2014-02-07 00:51:59 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T2621, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 621 - Require a minimum password length at account creation
Require a minimum password length at account creation
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
unspecified
All All
: High enhancement with 3 votes (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks: 3348
  Show dependency treegraph
 
Reported: 2004-10-02 20:15 UTC by elian
Modified: 2014-02-07 00:51 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description elian 2004-10-02 20:15:31 UTC 
For security, passwords should be of reasonable length. Disallow empty and too
short passwords.
Comment 1 Joost R. Meerten 2005-01-08 18:29:12 UTC 
At the very *least* disallow blank passwords. A semi-secure password module
shouldn't be that hard to implement either (it has been done many times before).
When all users were equal, this didn't matter that much. Now that we have
admins, it does. We should be glad nobody with the required technical expertise
has desired to cause big problems for Wikipedia. That's no reason to remain
inactive.

I heard on #wikipedia that according to a survey by Tim, hundreds of users had
trivial passwords -- blank passwords, "password", "secret" and presumably the
age-old favorite <username> as well. It didn't say how many of these were
admins, and I don't care to guess.

User names are not secret. I could easily use anonymous proxies to hack as many
accounts as possible. Aside from the possibilities for vandalism, I could use
such accounts for all sorts of identity confusion. This would not be good for
the community.
Comment 2 Tietew 2005-01-26 04:45:32 UTC 
In ja.wikipedia, an account with empty password was hijacked
and used to vandal.

At least, empty password MUST be denied ASAP.
Comment 3 T. Gries 2005-01-26 07:29:20 UTC 
(In reply to comment #2)
> At least, empty password MUST be denied ASAP.
> 
For your information: 

I disallow empty passwords in the ENotif and EAuthent patch, which *is* in CVS
HEAD version (for 1.5 version). It does not yet check the length of the passwords.
Comment 4 JeLuF 2005-01-30 19:39:26 UTC 
Fixed in CVS HEAD.
Comment 5 MZMcBride 2014-02-07 00:35:06 UTC 
(In reply to comment #4)
> Fixed in CVS HEAD.

In r7317 specifically.
Comment 6 MZMcBride 2014-02-07 00:51:59 UTC 
Related links:

* [[mw:Manual:$wgMinimalPasswordLength]]
* r48968
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links