Manual:$wgPasswordPolicy

Details
A password policy is of the form


 *   etc. are rights>Special:MyLanguage/Manual:User rights#List of groups|user groups, plus the special group  which is required to be present and applies to everyone.


 *   etc. are arbitrary check names, defined in the   subarray.


 *   etc. are policy values, passed to the appropriate callback defined in the   subarray. If the same check applies to a user via multiple groups, it will be applied with the   of the values.
 * Alternatively,   could be an array with the fields  </> (same as above), <tvar|3> </> (when set to true, users will be shown a password change form during login if the check fails) and <tvar|4> </> (like <tvar|5> </> but the form cannot be skipped).


 * <tvar|callable> </> etc. are [<tvar|url>https://php.net/language.types.callable</> PHP callables], which receive three arguments: the defined value, the <tvar|User></> object and the password, and return a StatusValue. A fatal status means the password can't be used, even for login; a non-fatal error means the value is not accepted as a new password (on account creation or password change), but can be used for login; the user will be shown a (skippable) password change form.  Default checks (found in <tvar|file> </>):
 * - Minimum length a user can set
 * - Passwords shorter than this will not be allowed to login, regardless if it is correct.
 * - Maximum length password a user is allowed to attempt. Prevents DoS attacks with pbkdf2.
 * - Password cannot match username
 * Your password must not appear within your username.
 * - Blacklists some passwords which have been used by MediaWiki unit tests in the past.
 * - Blacklist passwords which are known to be commonly chosen. Set to integer n to ban the top n passwords.  If you want to ban all common passwords on file, use the <tvar|max> </> constant.  See also  (the default file comes with MediaWiki and has 10K passwords).  Removed in MW 1.35+, use   instead.
 * - Same as the previous one, except uses the larger blacklist that comes with the <tvar|library>wikimedia/password-blacklist</> library. Deprecated in MW 1.35+, use   instead.
 * - Password not in best practices list of 100,000 commonly used passwords.

Examples
This example shows how to change selected policies for all users:

This example shows how to change selected policies for users of the "sysop" group: