Page MenuHomePhabricator

Change password length requirement and ensure enforcement for non-privileged users (from 1 to 8)
Closed, ResolvedPublic2 Estimated Story Points

Description

👯‍♂️ See also: T208246: Change password length requirement and ensure enforcement for privileged users (from 8 to 10)

🛑 This ticket is blocked by T211621: The 'your password is weak' message should display on log in for privileged accounts only


Info

We need to modify the required lengths of passwords. Specifically, these changes should be made:

  • Increase minimum password length for all non-privileged accounts from 1 to 8.
  • When a person creates a new account and their password does not match these requirements, the API or the UI should return an appropriate error message.
    • These error messages already exist, but should be updated to display the new accurate information.
  • If a non-privileged user logs in with a password that does not meet these requirements, they should not be messaged about their password strength. (See T211621)
  • If a non-privileged user resets their password, the new password must meet the latest requirements

Acceptance criteria

  • New password minimum length of 8 for new accounts is enforced on account creation and password reset
  • Error messages display as needed and display accurate information
  • No other user-facing change for non-privileged accounts

Event Timeline

Change 479571 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[operations/mediawiki-config@master] Require an 8-byte new password for all users

https://gerrit.wikimedia.org/r/479571

dbarratt changed the edit policy from "Custom Policy" to "All Users".Mar 12 2019, 7:09 PM

Change 496202 had a related patch set uploaded (by Dmaza; owner: Dmaza):
[operations/mediawiki-config@master] Enforce 8 char password length requirements for non-privileged users

https://gerrit.wikimedia.org/r/496202

Niharika changed the task status from Stalled to Open.Mar 17 2019, 6:23 PM

Change 496202 merged by jenkins-bot:
[operations/mediawiki-config@master] Enforce 8 char password length requirements for non-privileged users

https://gerrit.wikimedia.org/r/496202

Mentioned in SAL (#wikimedia-operations) [2019-03-25T18:15:26Z] <dcausse@deploy1001> Synchronized wmf-config/CommonSettings.php: T211622: Enforce 8 char password length requirements for non-privileged users (duration: 00m 50s)

Change 479571 abandoned by Jforrester:
Require an 8-byte new password for all users

Reason:
Implemented already.

https://gerrit.wikimedia.org/r/479571