Manual:$wgPasswordPolicy/en

Details
A password policy is of the form


 * etc. are user groups, plus the special group  which is required to be present and applies to everyone.
 * etc. are arbitrary check names, defined in the  subarray. If the same check applies to a user via multiple groups, it will be applied with the   of the values.
 * etc. are PHP callables, which receive three arguments: the defined value, the object and the password. Default checks (found in  ):
 * - Minimum length a user can set
 * - Passwords shorter than this will not be allowed to login, regardless if it is correct.
 * - Maximum length password a user is allowed to attempt. Prevents DoS attacks with pbkdf2.
 * - Password cannot match username
 * - Username/password combination cannot match a specific, hardcoded blacklist.