Wikimedia Security Team/Password strengthening 2019

This project is one of the first steps in a long-term plan to increase the security of Wikimedia authentication and authorization systems.

In general, most security breaches on the Internet are related to stolen or weak passwords. We want to build upon the great security culture within the Wikimedia movement to protect your contributions and the contributions of others.

This page describes a new password policy and password requirements for Wikimedia wikis. Feedback on how this change might impact your work is welcomed on the talk page.

New Password Policy
The Wikimedia Security Team has developed a new password policy for Wikimedia wikis. The policy can be found in full on Meta-wiki.

The new policy describes the purpose, scope, and compliance activities regarding passwords – including new password requirements.

Password requirements
These are the new password requirements for all Wikimedia wikis. The Wikimedia Security team has chosen to base our requirements on the National Institute of Standards and Technology guidelines. These requirements apply to new accounts and accounts in privileged user groups.


 * New password minimum length of 8 characters for all new accounts
 * This is enforced when the account is created and when the password is reset
 * New password minimum length of 10 characters for privileged accounts
 * This is enforced the next time the user logs in
 * Passwords from the top 100,000 passwords used in the world are not allowed

When a person creates a new account and their password does not match these requirements, the API or the UI will return an appropriate error message.

Who this impacts
This change will apply to all accounts. New accounts created after the policy is put into effect must meet the new password requirements. Existing accounts are only impacted if the user manually resets the password or if the account belongs to a privileged user group on any wiki. Privileged accounts include: Administrators, Interface administrators, Bureaucrats, Oversighters, Central notice administrators, Global renamers, WMF Office IT, WMF Support and Safety, CheckUsers, Staff, and Stewards.

Users in these groups will receive a notification to change their password to comply with the new policy every time they login.

We do encourage all users to follow best practices. Use a password manager, don’t reuse passwords, and follow the password requirements mentioned above.