New Wikimedia password policy and requirements

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

New Wikimedia password policy and requirements

Chris Koerner-2
The Wikimedia Foundation security team is implementing a new password
policy and requirements. [0] You can learn more about the project on
MediaWiki.org. [1]

These new requirements will apply to new accounts and privileged
accounts. New accounts will be required to create a password with a
minimum length of 8 characters. Privileged accounts will be prompted
to update their password to one that is at least 10 characters in
length.

These changes are planned to be in effect on December 13th. If you
think your work or tools will be affected by this change, please let
us know on the talk page. [2]

[0] https://meta.wikimedia.org/wiki/Password_policy
[1] https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Password_strengthening_2019
[2] https://www.mediawiki.org/wiki/Talk:Wikimedia_Security_Team/Password_strengthening_2019

Yours,
Chris Koerner
Community Relations Specialist
Wikimedia Foundation

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: New Wikimedia password policy and requirements

Maarten Dammers
Hi Chris,

Did you base your new policy on
https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret ? I didn't see
any reference to it. You might want to check it out and reference it.

Maarten

On 06-12-18 20:34, Chris Koerner wrote:

> The Wikimedia Foundation security team is implementing a new password
> policy and requirements. [0] You can learn more about the project on
> MediaWiki.org. [1]
>
> These new requirements will apply to new accounts and privileged
> accounts. New accounts will be required to create a password with a
> minimum length of 8 characters. Privileged accounts will be prompted
> to update their password to one that is at least 10 characters in
> length.
>
> These changes are planned to be in effect on December 13th. If you
> think your work or tools will be affected by this change, please let
> us know on the talk page. [2]
>
> [0] https://meta.wikimedia.org/wiki/Password_policy
> [1] https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Password_strengthening_2019
> [2] https://www.mediawiki.org/wiki/Talk:Wikimedia_Security_Team/Password_strengthening_2019
>
> Yours,
> Chris Koerner
> Community Relations Specialist
> Wikimedia Foundation
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: New Wikimedia password policy and requirements

Thiemo Kreuz
In reply to this post by Chris Koerner-2
Oh my. These might be the most sensible password policies I have seen
implemented since, I think, ever:

1. Must have a certain length.
2. Can not be one of the most used passwords.
3. Ah, and don't be so silly to repeat your user name.
4. That's all.

No made up rules like "must contain at least one special character
from a set of actually not so special characters" that force users to
make their passwords actually less secure.

Thanks a lot to the team working on this, and the code that backs this up!

Best
Thiemo

PS: Now we just need to know what the 100,001st most used password is. ;-)

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l