Extension:SecurePasswords

What can this extension do?
This extension creates more secure password hashes in the database as well as adds a password strength checker.

The password strength checker is configurable through the $wgValidPasswords array.

Prerequisites
Before installing this extension, make sure that the following PHP extensions are installed. This extension will work without them, but it won't be as feature-rich:
 * mcrypt - allows for further encrypting password hashes
 * zlib - allows for compressing password hashes
 * pspell - allows checking passwords against a dictionary

Installation
To install this extension, unpack the extension to /extensions (it should create a new directory called SecurePasswords).

Then, execute the securepasswords.sql file either via the sql.php maintenance script or directly into MySQL (be sure to add the correct prefix to the tables if doing the latter). This will expand the password fields in the user table to allow more characters to be stored into them (otherwise most of the hashes will be truncated)

Finally, add the following near the end of your LocalSettings.php file:

Configuration parameters
$wgValidPasswords is an associative array of what to check for when validating new passwords. The default values and descriptions are below:

$wgSecurePasswordsSpecialChars is a character class of special characters checked for if 'special' is true in $wgValidPasswords. Characters that have special meanings in regular expressions must be escaped with "\". The default value is below:

Caveats

 * Changing $wgSecretKey will render every password hashed by this extension invalid if the mcrypt extension for PHP is enabled.
 * Enabling or disabling the mcrypt and zlib extensions for PHP after this extension has been installed will render hashes produced before the changes invalid.
 * Passwords hashed without this extension and current passwords that do not meet the strength criteria will still work, but this extension will make no effort to contact these users to change their passwords to take advantage of the new security.
 * The message override to explain the restrictions is an utter hack. As such, changes you make to MediaWiki:Securepasswords-password might or might not work (I'm not entirely sure).

Changelog

 * Version 1.1: Removed the 'maxlength' parameter to $wgValidPasswords, moved the special characters into a global, overrides the default "Invalid password" message with a custom one explaining the restrictions (albeit in an utterly-hacked way).
 * Version 1.0: Initial version. Experimental.