Jump to content

Manual talk:$wgPasswordPolicy/Flow

About this board

Default Policy should be default policy for all groups

9
Vicarage (talkcontribs)

It makes no sense to have multiple policies defining MinimalPasswordLength as in-code defaults. Only the default policy should be defined, and propagated, so a user changing $wgPasswordPolicy['policies']['default']['MinimalPasswordLength'] = 8; in their LocalSettings.php finds it changes all their groups. As it is they have to have 5 different lines to bend all the policies to their will for administrators. This is not obvious (and in my case still didn't work, so I hacked includes/DefaultSettings.php to get my way).

Tgr (talkcontribs)

You seem to be suggesting that with the default configuration the same security restrictions should be applied to everyone, whether they are a new user or a sysop. That makes no sense from a security perspective - sysop accounts are more valuable targets and can cause more damage, so they need to be defended better.

Vicarage (talkcontribs)

That's a decision for the administrators, not mediawiki developers. The Example section says "This example shows how to change selected policies for all users:" when its not true, and you have confusion between 'sysop' and 'administrator'. The defaults section is confusing with 1.33+ mentions in a 1.35 area. Its all rather a mess.

Tgr (talkcontribs)

Your opinion that the MediaWiki developers should not have made this decision is duly noted.

Vicarage (talkcontribs)

What about the bad advice "This example shows how to change selected policies for all users:", as it does not work for administrators? Please watch someone not connected with password implementation try to follow the instructions here.

Vicarage (talkcontribs)

You also have the confusion that mediawiki can't decide whether people are 'Administrator' or 'sysop'. Anyone looking at https://www.mediawiki.org/wiki/Special:ListUsers/sysop who wasn't a developer would assume they were an 'Administrator', but that's not the keyword used in the code or description.

Tgr (talkcontribs)

That example works just fine. Wrt the sysop/admin group name and human readable name differing, that indeed can be mildly confusing, but "sysop" is a bad name (a slang word that not everyone understands, and those who understand would assume this is the highest privilege, which is not at all true in MediaWiki) and changing a group name in a backwards-compatible manner is not trivial (I'm sure we'd accept patches though).

Vicarage (talkcontribs)
Examples
This example shows how to change selected policies for all users:
$wgPasswordPolicy['policies']['default']['MinimalPasswordLength'] = 10;

And a sysop user would not find anything changed. Have you tried it yourself today, or just know what happens?

The wording should say

This example shows how to change selected policies for all users, unless overridden specifically in the defaults below:

$wgPasswordPolicy['policies']['default']['MinimalPasswordLength'] = 10;
$wgPasswordPolicy['policies']['default']['MaximalPasswordLength'] = 128;
$wgPasswordPolicy['policies']['default']['PasswordCannotMatchUsername']['value'] = false;

This example shows how to change selected policies for just users of the "sysop" group:
$wgPasswordPolicy['policies']['sysop']['MinimumPasswordLengthToLogin'] = 10;
$wgPasswordPolicy['policies']['sysop']['MinimalPasswordLength'] = 20;
Tgr (talkcontribs)

A sysop would not find anything changed, sure, because the minimum length is already 10 for sysops. But setting, say,

$wgPasswordPolicy['policies']['default']['MinimalPasswordLength'] = 16;

would affect sysops as expected.

Reply to "Default Policy should be default policy for all groups"

Password History Policy

2
Dshinks (talkcontribs)

Hi, We've been experimenting with this feature, and there appears to be no way of enforcing a password history policy.

Something along the lines of "The user cannot use a password that was one of their last 6 passwords."

As it stands, if we were to set a password expiry policy, a user could literally just re-enter their existing password and carry on.

You'd think that would be the most fundamental policy to implement; has anyone else come across anything like this at all - maybe I'm just missing it?

Thanks

Tgr (talkcontribs)

There is nothing stopping you from doing it, you'd just have to store old password hashes somewhere. I don't think there is too much point to it (there is no threat it would mitigate well) but if you really want it, it shouldn't be hard to do. Something like

$wgPasswordPolicy['policies']['default'] = [ 'PasswordCannotBeReused' => true ];
$wgPasswordPolicy['checks']['PasswordCannotBeReused'] = 'MyPasswordPolicyChecks::passwordCannotBeReused';

class MyPasswordPolicyChecks {
    public static function passwordCannotBeReused( $value, User $user, $password ) {
        if ( $value !== true || !$user->getId() ) {
            return true;
        }
        
        $dbr = wfGetDB( DB_REPLICA );
        $oldPassword = $dbr->selectField( 'user', 'user_password', [ 'user_id' => $user->getId() ] );
        
        $pwFactory = new PasswordFactory();
        $pwFactory->init( ConfigFactory::getDefaultInstance() );
        $oldPasswordObject = $pwFactory->newFromCiphertext( $oldPassword );
        return !$oldPasswordObject->equals( $password );
    }
}

(more complex if you want it to work with AuthManager but not by much).

Reply to "Password History Policy"

Changing ordinary user policy

6
Summary by Kghbln

Examples now provided in documentation.

90.177.12.108 (talkcontribs)

I needed to implement password policy for ordinary users having passwords of minimum six characters of length.

In LocalSettings.php: $wgPasswordPolicy['policies']['default']['MinimalPasswordLength'] = 6;

worked.

If it is incorrect use someone more knowledgeable may correct it.

MGChecker (talkcontribs)

It's completely correct.

Supertin (talkcontribs)

Can someone who understands this setting throw some better documentation (ie - examples) on there? I'm trying to reduce the minimum password length to 5, and the suggested entry above isn't working for me on 1.27.

Kghbln (talkcontribs)

I just added examples. The following setting should however work:

$wgPasswordPolicy['policies']['default']['MinimalPasswordLength'] = 5;

Dunno why it does not work for you. Are you sure? @Tgr (WMF):?

Tgr (WMF) (talkcontribs)

MinimalPasswordLength defaults to 1 so if you are trying to reduce that either you already have something raising it (possibly overriding your attempt to reduce it), or there is some confusion about what you want to do (e.g. you are trying to change the password length for some non-default user group).

Kghbln (talkcontribs)

Ah, yeah, I could probably have come up with this, too. Sounds reasonable to me. Thanks a lot for your explanation!

There are no older topics