Requests for comment/Password requirements

This is to discuss changes to MediaWiki's default password requirements, and making them more configurable.

Context
MediaWiki has a default password minimum of only one character (Manual:$wgMinimalPasswordLength), which applies regardless of what user group (admin, steward, etc.) you are in.

Problem
This is very weak in general. Further, the Wikimedia rate limits make it possible to brute-force weak passwords online) (25925).

Possible solution
We propose two parts:


 * 1) Manual:$wgMinimalPasswordLength will be enforced only on password changes and for new accounts.  This allows increasing it to a larger value (more typical of the modern web) without locking anyone out or requiring regular users to change their password (it can still be encouraged).
 * Just a note: an RFC here is fine for consensus for MediaWiki development, but it cannot dictate how Wikimedia wikis choose to set this variable. It looks like Wikimedia wikis currently use the default from DefaultSettings.php, so this will need to be made explicit on the Wikimedia side before it can be changed in DefaultSettings.php, I think. I'm also not sure why you wouldn't also catch a change in minimal password length on user login (in addition to new accounts and password changes). --MZMcBride (talk) 20:59, 8 February 2013 (UTC)
 * 1) ** Default settings and WMF settings. Resistance on WMF wikis is not a rationale to hold back changing settings in DefaultSettings. Any change to default settings that WMF wikis do not want can be overridden in WMF's settings. It's always been that way. There is no reason to hold back the raising of the default. Daniel Friesen (Dantman) (talk) 21:10, 8 February 2013 (UTC)
 * 2) Password complexity requirements by group (44788).  This would be configurable and available for any group, but for instance admins would by default have more stringent password requirements than regular users.  If a user with a weak password were added to a new group with such requirements, they would need to change their password on login before doing anything.  The "change password on login" requirement would not apply to users without such groups (even if wgMinimalPasswordLength changes).