Manual talk:$wgMinimalPasswordLength

From mediawiki.org
Latest comment: 9 years ago by 88.130.65.73 in topic Effects of changing password length

Effects of changing password length[edit]

I'm looking to change the password length for an existing Wiki and wondered if this will have a negative effect on existing users who have passwords with fewer characters. If so, can this be managed? --Guy Grannum 12:00, 16 February 2010 (UTC)Reply

Yeah, that's a valid question. I would think that the change affects only new registrations, however I am not sure. I will ask at the support desk for confirmation. --[[kgh]] (talk) 19:30, 3 April 2014 (UTC)Reply
$wgMinimalPasswordLength is checked when setting a new password. The impact on existing users is that they - when they try to set a new password - will have to set a password fitting the new minimal length. That means: They will no longer be able to set a password, which is shorter than $wgMinimalPasswordLength; that means they possibly have to use a longer password than they had before.
The paranoid admin might now ask: "How can I force all my users to make their password fit to the new minimal length?" As the actual passwords are saved in an encoded form, you cannot say how long the according password is. So the only way to go would be to invalidate all passwords of all users. You have to judge whether this is worth the hassle; after all this would affect really all users - even those, who already had a password with a fitting length set, which I personally find rather annoying. --88.130.65.73 22:13, 3 April 2014 (UTC)Reply
No, that's not true. In the versions of MediaWiki that most people are currently using, existing users with passwords that don't meet the requirements will receive "Incorrect password entered." when they try to log in; they would have to reset their passwords with Special:PasswordReset. With Gerrit change 77645 (which is not in 1.22.5), those users can log in as normal, but will immediately be forced to change their passwords. —Emufarmers(T|C) 04:43, 4 April 2014 (UTC)Reply
Thank you for all your replies! I like 88.130.x's answer better, with the requirement to change to a longer password as soon as one touches it (again) - that's what I acutally expected - but reality seems to be different. --[[kgh]] (talk) 08:27, 4 April 2014 (UTC)Reply
I didn't know that. However, reading the code of 1.22.5, Emufarmers seems to be right. So we can say in any case: If you change this value, users with a password shorter than your new $wgMinimalPasswordLength, have to change their password the next time they log in (either using Special:PasswordReset or after Gerrit change 77645 they will be presented an according form after login). Added that to the page. --88.130.65.73 12:46, 4 April 2014 (UTC)Reply