Wikimedia Security Team/Password strengthening 2019

This project is one of the first steps in a long-term plan to increase the security of Wikimedia authentication and authorization systems.

In general, most security breaches on the Internet are related to stolen or weak passwords. We want to build upon the great security culture within the Wikimedia movement to protect your contributions and the contributions of others.

This page describes a new password policy and password requirements for Wikimedia wikis. Feedback on how this change might impact your work is welcomed on the talk page.

New Password Policy
The Wikimedia Security Team along with support from the Anti-harassment team have developed a new password policy for Wikimedia wikis. The policy can be found in full at

The new policy describes the purpose, scope, and compliance activities regarding passwords – including new password requirements.

Password requirements
These are the new password requirements for all Wikimedia wikis. The Wikimedia Security team has chosen to base our requirements on the National Institute of Standards and Technology guidelines. These requirements apply to new accounts and accounts in privileged user groups.


 * New password minimum length of 8 characters for all new accounts
 * This is enforced when the account is created and when the password is reset
 * New password minimum length of 10 characters for privileged accounts
 * This is enforced the next time the user logs in
 * Passwords from the top 100,000 passwords used in the world are not allowed

When a person creates a new account and their password does not match these requirements, the API or the UI will return an appropriate error message.

Who this impacts
This change will apply to new accounts created after the policy is put into effect. Existing accounts are not impacted, unless the account is an account in a privileged user group: Administrators, Interface administrators, Bureaucrats, Oversighters, Central notice administrators, Global renamers, WMF Office IT, WMF Support and Safety, CheckUsers, and Staff.

Users in these groups will receive a notification to change their password to comply with the new policy every time they login.

Existing accounts will not be impacted. We do encourage all users to follow best practices. Use a password manager, don’t reuse passwords, and follow the password requirements mentioned above.