From MediaWiki.org
Jump to navigation Jump to search
MediaWiki extensions manual
OOjs UI icon advanced.svg
Release status: beta
Implementation User identity
Description Enforces secure password rules on new accounts and password changes.
Author(s) Michael Briganti (mbrigantitalk)
Latest version 1.0.0 (2010-08-18)
MediaWiki 1.15+
License GPL
Download Project page
Subversion [Help]

Browse source code
View code changes

Note Note: No localisation updates provided by translatewiki.net .
$wgValidPasswords, $wgMinimalPasswordLength, $wgPasswordSpecialChars
Translate the SafeCreate extension if it is available at translatewiki.net
Check usage and version matrix.

What can this extension do?[edit]

This extension works in 2 ways to help users set more secure passwords (with password rules that are setup in LocalSettings.php):

  • Requiring new account to conform to the password rules
  • Requiring changed passwords on the Special:ChangePassword page to conform to the password rules


  • Does not require any customizations to the Mediawiki core code, nor does it require any customizations to the database.
    • Easy to switch back to the default Mediawiki authentication method.
  • Allows users who are already in the database (who might have passwords that do not conform with the rules) to log in normally.


This extension has only been tested on Mediawiki 1.15.5.

Download instructions[edit]

Please download the file from the SVN link on the right and place it in $IP/extensions/safeCreate/. Note: $IP stands for the root directory of your MediaWiki installation, the same directory that holds LocalSettings.php .


To install this extension, add the following to LocalSettings.php :

$wgMinimalPasswordLength = 8;
$wgPasswordSpecialChars = '.|\/!@#$%^&*\(\)-_=+\[\]{}`~,<>?\'";: '; # Character class of special characters for a regex
$wgValidPasswords = array(
	'minlength' => $wgMinimalPasswordLength, #Minimum password length, should be at least 8 for decent security
	'lowercase' => true, #Should we require at least one lowercase letter?
	'uppercase' => true, #Should we require at least one uppercase letter?
	'digit'     => true, #Should we require at least one digit?
	'special'   => false, #Should we require at least one special character (punctuation, etc.)?
	'usercheck' => true, #Should we disallow passwords that are the same as the username?

Configuration parameters[edit]

Each of the items in the $wgValidPasswords array can be set to require that item in the passwords for new accounts and password changes. With the exception of "minlength", if the item is set to "true", that item is required and "false" means that it is not required. The item "minlength" is set to $wgMinimalPasswordLength, which is set to the minimum character length requirement of the password (the value '0' means that there is no minimum requirement). The array $wgPasswordSpecialChars is used for the "special" item of the $wgValidPasswords array. To limit the special characters that count for "special characters," remove them from this list.


  • 1.0.0 (Initial release)

See also[edit]

SecurePasswords - Credit given to this extension for ideas used in my extension.