Please fix the Password requirements section which currently suggests that a privileged account with password "123456" could change it to "1234567890" when they next log in.
Topic on Talk:Wikimedia Security Team/Password strengthening 2019
I imagine 1234567890 appears in the 100,000-password blacklist.
Yes it is in the list: that is my point. The current text does not say that the full password policy will be enforced when a privileged user next logs in. Similar confused wording applies for non-privileged users.
Ah, apologies for the confusion. The requirements section does state for privileged accounts, "This is enforced the next time the user logs in"
I just made an edit that tries to make it a little more clear. Does that help?
Thanks, but no, that did not help. The problem is the bulleted text in the "Password requirements" section. That clearly states that a minimum length of 10 characters for the password of a privileged account will be enforced at next log in. The top 100,000 requirement is separate and there is no mention of when or whether it will be enforced. I would be happy to fix the wording, which you would obviously check, but I have no idea what the plan is.
- Please be aware that an 8-character password is considered as weak. It can be broken within 2 hours (if random enough). Go and try: https://howsecureismypassword.net/
- Recommendation nowadays (2018): 12 characters with Upper and lowercase, numbers and special characters.
- Please reconsider it and update your requirements.
The NIST guidelines (last updated in 2017) actually recommend 8 or more characters.
8 character Unicode passwords surely can not be broken within hours by any means available on Earth. Also, the attack scenario is not an offline attack, it is subject to rate limits unless someone steals the database.
You're making a classic mistake here. The 8 character password is weak is based on the assumption you can a do a Brute-force attack. In the case of the web service (like Wikipedia), that's not the case. You can't just try, try and try, mechanisms are in place to slow you down. Compare it with a pin code on an ATM card. Generally only 4 digits long, but generally secure enough because after three failed tries, the card stops working.
FWIW even against bruteforcing by an attacker with access to the hash, 8 random characters are not really weak. If you use PBKDF2 with 10K+ rounds as per the NIST recommendation (Wikimedia uses 128K rounds), an attacker on a high-tier PC will be down to a few ten thousand tries per second (so about a month to bruteforce a single all-lowercase random 8 character password, about 100 years if it's mixed case + numbers).
One would be very naive to enter one's password there....