Jump to content

Topic on Manual talk:$wgPasswordPolicy

Default Policy should be default policy for all groups

9
Vicarage (talkcontribs)

It makes no sense to have multiple policies defining MinimalPasswordLength as in-code defaults. Only the default policy should be defined, and propagated, so a user changing $wgPasswordPolicy['policies']['default']['MinimalPasswordLength'] = 8; in their LocalSettings.php finds it changes all their groups. As it is they have to have 5 different lines to bend all the policies to their will for administrators. This is not obvious (and in my case still didn't work, so I hacked includes/DefaultSettings.php to get my way).

Tgr (talkcontribs)

You seem to be suggesting that with the default configuration the same security restrictions should be applied to everyone, whether they are a new user or a sysop. That makes no sense from a security perspective - sysop accounts are more valuable targets and can cause more damage, so they need to be defended better.

Vicarage (talkcontribs)

That's a decision for the administrators, not mediawiki developers. The Example section says "This example shows how to change selected policies for all users:" when its not true, and you have confusion between 'sysop' and 'administrator'. The defaults section is confusing with 1.33+ mentions in a 1.35 area. Its all rather a mess.

Tgr (talkcontribs)

Your opinion that the MediaWiki developers should not have made this decision is duly noted.

Vicarage (talkcontribs)

What about the bad advice "This example shows how to change selected policies for all users:", as it does not work for administrators? Please watch someone not connected with password implementation try to follow the instructions here.

Vicarage (talkcontribs)

You also have the confusion that mediawiki can't decide whether people are 'Administrator' or 'sysop'. Anyone looking at https://www.mediawiki.org/wiki/Special:ListUsers/sysop who wasn't a developer would assume they were an 'Administrator', but that's not the keyword used in the code or description.

Tgr (talkcontribs)

That example works just fine. Wrt the sysop/admin group name and human readable name differing, that indeed can be mildly confusing, but "sysop" is a bad name (a slang word that not everyone understands, and those who understand would assume this is the highest privilege, which is not at all true in MediaWiki) and changing a group name in a backwards-compatible manner is not trivial (I'm sure we'd accept patches though).

Vicarage (talkcontribs)
Examples
This example shows how to change selected policies for all users:
$wgPasswordPolicy['policies']['default']['MinimalPasswordLength'] = 10;

And a sysop user would not find anything changed. Have you tried it yourself today, or just know what happens?

The wording should say

This example shows how to change selected policies for all users, unless overridden specifically in the defaults below:

$wgPasswordPolicy['policies']['default']['MinimalPasswordLength'] = 10;
$wgPasswordPolicy['policies']['default']['MaximalPasswordLength'] = 128;
$wgPasswordPolicy['policies']['default']['PasswordCannotMatchUsername']['value'] = false;

This example shows how to change selected policies for just users of the "sysop" group:
$wgPasswordPolicy['policies']['sysop']['MinimumPasswordLengthToLogin'] = 10;
$wgPasswordPolicy['policies']['sysop']['MinimalPasswordLength'] = 20;
Tgr (talkcontribs)

A sysop would not find anything changed, sure, because the minimum length is already 10 for sysops. But setting, say,

$wgPasswordPolicy['policies']['default']['MinimalPasswordLength'] = 16;

would affect sysops as expected.

Reply to "Default Policy should be default policy for all groups"