Page MenuHomeMiraheze

Improve password standards
Open, NormalPublic

Description

Latest standards say passwords should be 12-128 charecters. I've added suggested dates if we're happy with it.

I'd like to roll this out by doing it in stages:

  • Set max to 128 (2nd August)
  • Set sysadmin,ts,steward groups to 12 minimum (9th August)
  • Require for above to login (20th August)
  • Set admin,crat,bot to 12 minmum (23rd August)
  • Require for above to login (3rd September)
  • Set all users to 12 minimum (6th September)
  • Require for above to login (17th September

Event Timeline

RhinosF1 triaged this task as Normal priority.Jul 29 2021, 13:27

I'll create announcements before doing this

Hello all,

Over the next 6 weeks, We will be slowly increasing password requirements to require passwords are between 12 and 128 characters. This is to comply with the latest security standards.

The maximum password length will affect everyone from Monday but the change to minimum lengths will hit users who hold admin, crat or bot on any wiki from the week commencing August 23rd and all users from the week commencing September 6th.

You will start seeing notices when using your account from the start of the week and the change will prevent you logging in by the Friday of the week after.

Please ensure you change your password if affected by the dates above and set an email so you can reset your password if logins are stopped.

If you have any feedback, comment below.

Thanks, ~~~~

I'm not certain I would reduce the maximum (currently 4096). In theory, the only problem with having a password longer than 128 characters is potential server load.

In T7713#155094, @Void wrote:

I'm not certain I would reduce the maximum (currently 4096). In theory, the only problem with having a password longer than 128 characters is potential server load.

It comes from 2.1.1 and 2.1.2 of https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md#v21-password-security-requirements

Owen added a subscriber: Owen.

No objections raised by me.

In T7713#155094, @Void wrote:

I'm not certain I would reduce the maximum (currently 4096). In theory, the only problem with having a password longer than 128 characters is potential server load.

It comes from 2.1.1 and 2.1.2 of https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md#v21-password-security-requirements

See also https://github.com/OWASP/ASVS/issues/756#issuecomment-867078439 . But at the same time there also isn't really a strong reason why we shouldn't. We can move forward with this, but I would be comfortable dropping the 128 max in favor of 4096 if there is community pushback.

I strongly doubt that anyone has a >128 charecter password.

I agree with Void in that dropping the maximal doesn’t make a lot of sense when it’s already set at that level by default. You’d need a good reason really to lower it and a standard that chose the length based on software we don’t use doesn’t seem it.

I'll create announcements before doing this

I strongly support this. ↗️

I don't have any issues with the maximum 128 characters, but I do have issues with the proposed 12 character minimum. I also have issues with the accelerated timeline and why this is proposed for users who do not have any advanced global groups (i.e., non-system administrators, non-stewards, etc.). Even if Wikimedia requires it for sysop and bureaucrat, you have to remember we're not Wikimedia, so those user groups are a lot less sensitive.