Extension:SecurePasswords

What can this extension do?
This extension creates more secure password hashes in the database as well as adds a password strength checker.

The password strength checker is configurable through the $wgValidPasswords array.

Prerequisites
Before installing this extension, make sure that the following PHP extensions are installed. This extension will work without them, but it won't be as feature-rich:
 * mcrypt - allows for further encrypting password hashes
 * zlib - allows for compressing password hashes
 * pspell - allows checking passwords against a dictionary

Installation
To install this extension, unpack the extension to /extensions (it should create a new directory called SecurePasswords).

Then, execute the securepasswords.sql file either via the sql.php maintenance script or directly into MySQL (be sure to add the correct prefix to the tables if doing the latter). This will expand the password fields in the user table to allow more characters to be stored into them (otherwise long hashes might be truncated, making it impossible to log in to the affected accounts).

Finally, add the following near the end of your LocalSettings.php file:

Configuration parameters
$wgValidPasswords is an associative array of what to check for when validating new passwords. The default values and descriptions are below:

Caveats

 * Changing $wgSecretKey will render every password hashed by this extension invalid if the mcrypt extension for PHP is enabled.
 * Enabling or disabling the mcrypt and zlib extensions for PHP after this extension has been installed will render hashes produced before the changes invalid.
 * The MediaWiki:Passwordtooshort message must be manually changed to reflect the new password strength restrictions. This extension does not change it for you.
 * Super-long hashes might be truncated as they are inserted into the database, rendering them invalid. You can change the maxlength field of $wgValidPasswords to alleviate this issue in the future.
 * Passwords hashed without this extension and current passwords that do not meet the strength criteria will still work, but this extension will make no effort to contact these users to change their passwords to take advantage of the new security.