Topic on Talk:Wikimedia Security Team/Password strengthening 2019

Ah, apologies for the confusion. The requirements section does state for privileged accounts, "This is enforced the next time the user logs in"

I just made an edit that tries to make it a little more clear. Does that help?

Thanks, but no, that did not help. The problem is the bulleted text in the "Password requirements" section. That clearly states that a minimum length of 10 characters for the password of a privileged account will be enforced at next log in. The top 100,000 requirement is separate and there is no mention of when or whether it will be enforced. I would be happy to fix the wording, which you would obviously check, but I have no idea what the plan is.

The NIST guidelines (last updated in 2017) actually recommend 8 or more characters.

8 character Unicode passwords surely can not be broken within hours by any means available on Earth. Also, the attack scenario is not an offline attack, it is subject to rate limits unless someone steals the database.

You're making a classic mistake here. The 8 character password is weak is based on the assumption you can a do a Brute-force attack. In the case of the web service (like Wikipedia), that's not the case. You can't just try, try and try, mechanisms are in place to slow you down. Compare it with a pin code on an ATM card. Generally only 4 digits long, but generally secure enough because after three failed tries, the card stops working.

FWIW even against bruteforcing by an attacker with access to the hash, 8 random characters are not really weak. If you use PBKDF2 with 10K+ rounds as per the NIST recommendation (Wikimedia uses 128K rounds), an attacker on a high-tier PC will be down to a few ten thousand tries per second (so about a month to bruteforce a single all-lowercase random 8 character password, about 100 years if it's mixed case + numbers).