Wikimedia Security Team/Password strengthening 2019

From mediawiki.org

This project is one of the first steps in a long-term plan to increase the security of Wikimedia authentication and authorization systems.

In general, most security breaches on the Internet are related to stolen or weak passwords. We want to build upon the great security culture within the Wikimedia movement to protect your contributions and the contributions of others.

This page describes a new password policy and password requirements for Wikimedia wikis. Feedback on how this change might impact your work is welcomed on the talk page.

New Password Policy[edit]

The Wikimedia Security Team has developed a new password policy for Wikimedia wikis. The policy can be found in full on Meta-wiki.

The new policy describes the purpose, scope, and compliance activities regarding passwords – including new password requirements.

Password requirements[edit]

These are the new password requirements for all Wikimedia wikis. The Wikimedia Security team has chosen to base our requirements on the National Institute of Standards and Technology guidelines. These requirements apply to new accounts, accounts in privileged user groups, and when any account requests a password change.

For all accounts:

  • New password minimum length of 8 characters for all new accounts;
  • Must not be in the 100,000 most popular passwords (as defined by the Password Blacklist library); and
  • Must not be the same as the username.
  • This is enforced when the account is created and when the password is changed, for all accounts. You will have to pick a new password in this situation.

For privileged accounts, the above rules apply, plus:

  • New password minimum length of 10 characters for privileged accounts.
  • If the account password does not meet the requirements, the UI suggests the user to set a new password, but allows the user to continue to log in with the 'weak' password.

Who this impacts[edit]

This change will apply to all accounts.

New accounts created after the policy is put into effect must meet the new password requirements. Existing accounts are impacted when the user manually resets the password. If the account belongs to a privileged user group on any wiki they will be prompted to set a new password.

Privileged accounts include common roles such as: Administrators, Bot admins, Bureaucrats, Check users, Global renamers, Interface administrators, Oversighters, and Stewards.

Additional roles: Abuse filter helpers, CentralNotice administrators, Eliminators, Engineers, Founder, Global interface editors, Global sysops, Interface editors, New wiki importers, Ombudsmen, Staff, Sysadmins. Template editors, Wikimedia Foundation Office IT, Wikidata-staff, and Wikimedia Foundation Support and Safety.

Users in these groups will receive a notification to change their password to comply with the new policy when they login.

All users on private and fishbowl wikis are also included.

We do encourage all users to follow best practices. Use a password manager, don’t reuse passwords, and follow the password requirements mentioned above.

See also[edit]