Manual:$wgPolisi kata kunci
User accounts, authentication: $wgPasswordPolicy | |
---|---|
Specifies various settings related to password strength and security. |
|
Introduced in version: | 1.26.0 (Gerrit change 206156; git #1a20dc) |
Removed in version: | Still in use |
Allowed values: | lihat di bawah |
Default value: | lihat di bawah |
Other settings: Alphabetical | By function |
Perincian
General setup of policy checks
A password policy is of this form:
$wgPasswordPolicy = [
'policies' => [
'<group1>' => [
'<check1>' => '<value1>',
// ...
],
// ...
],
'checks' => [
'<check1>' => '<callable1>',
// ...
],
];
<group1>
etc. are user groups, plus the special groupdefault
which is required to be present and applies to everyone.
<check1>
etc. are arbitrary check names, defined in thechecks
subarray.
<value1>
etc. are policy values, passed to the appropriate callback defined in thechecks
subarray.
If the same check applies to a user via multiple groups, it will be applied with the max()
of the values. Alternatively, <value1>
could be an array with the following fields:
value
: same as abovesuggestChangeOnLogin
: when set to true, users will be shown a password change form during login if the check failsforceChange
: likesuggestChangeOnLogin
but the form cannot be skipped.
<callable1>
etc. are PHP callables, which receive three arguments: the defined value, the User object and the password, and return a StatusValue.
A fatal status means the password can't be used, even for login; a non-fatal error means the value is not accepted as a new password (on account creation or password change), but can be used for login (depending on the suggestChangeOnLogin
and forceChange
flags, the user might be shown a password change form).
Default password policy checks
Default checks as defined in includes/password/PasswordPolicyChecks.php
:
MinimalPasswordLength
— Panjang minimum seseorang pengguna boleh gunakanMinimumPasswordLengthToLogin
— Passwords shorter than this will not be allowed to log in, regardless if it is correct.MaximalPasswordLength
— Maximum length password a user is allowed to attempt. Prevents DoS attacks with pbkdf2.PasswordCannotMatchUsername
— Password cannot match usernamePasswordCannotBeSubstringInUsername
— Your password must not appear within your username.PasswordCannotMatchBlacklist
— Blacklists some passwords which MediaWiki unit tests have used in the past.PasswordCannotBePopular
— Blacklist passwords which are known to be commonly chosen. Set to integer n to ban the top n passwords. If you want to ban all common passwords on file, use thePHP_INT_MAX
constant. See also $wgPopularPasswordFile (the default file comes with MediaWiki and has 10K passwords).
Note: (removed in 1.35) UsePasswordNotInCommonList
instead.PasswordNotInLargeBlacklist
— Same as the previous one, except uses the larger blacklist that comes with the wikimedia/password-blacklist library.
Note: (deprecated in 1.35) UsePasswordNotInCommonList
instead.PasswordNotInCommonList
— Password not in best practices list of 100,000 commonly used passwords.
You should avoid redefining the default checks in $wgPasswordPolicy['checks']
, as such changes might break during MediaWiki upgrades.
Contoh
Changing selected password policies
Berikut contoh bagaimana untuk mengubah polisi-polisi untuk semua pengguna:
$wgPasswordPolicy['policies']['default']['MinimalPasswordLength'] = 10;
$wgPasswordPolicy['policies']['default']['MaximalPasswordLength'] = 128;
$wgPasswordPolicy['policies']['default']['PasswordCannotMatchUsername']['value'] = false;
This example shows how to change selected policies for users of the "sysop" group:
$wgPasswordPolicy['policies']['sysop']['MinimumPasswordLengthToLogin'] = 10;
$wgPasswordPolicy['policies']['sysop']['MinimalPasswordLength'] = 20;
Disabling all password policies
For development machines, it might be helpful to disable all password policies, which can be done with the following line:
$wgPasswordPolicy = [ 'policies' => [ 'default' => [] ], 'checks' => [] ];
Default
MediaWiki version: | ≥ 1.43 |
use MediaWiki\Password\PasswordPolicyChecks;
$wgPasswordPolicy = [
'policies' => [
'bureaucrat' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'sysop' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'interface-admin' => [ // 1.32+
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'bot' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'default' => [
'MinimalPasswordLength' => [ 'value' => 8, 'suggestChangeOnLogin' => true ], // 1.40+
'PasswordCannotBeSubstringInUsername' => [ // 1.35+
'value' => true,
'suggestChangeOnLogin' => true
],
'PasswordCannotMatchDefaults' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.35+
'MaximalPasswordLength' => [ 'value' => 4096, 'suggestChangeOnLogin' => true ], // 1.33+
'PasswordNotInCommonList' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.35+
],
],
'checks' => [
'MinimalPasswordLength' => [ PasswordPolicyChecks::class, 'checkMinimalPasswordLength' ],
'MinimumPasswordLengthToLogin' => [ PasswordPolicyChecks::class, 'checkMinimumPasswordLengthToLogin' ],
'PasswordCannotBeSubstringInUsername' => [ PasswordPolicyChecks::class, 'checkPasswordCannotBeSubstringInUsername' ],
'PasswordCannotMatchDefaults' => [ PasswordPolicyChecks::class, 'checkPasswordCannotMatchDefaults' ],
'MaximalPasswordLength' => [ PasswordPolicyChecks::class, 'checkMaximalPasswordLength' ],
'PasswordNotInCommonList' => [ PasswordPolicyChecks::class, 'checkPasswordNotInCommonList' ],
],
];
Older versions | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
$wgPasswordPolicy = [
'policies' => [
'bureaucrat' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'sysop' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'interface-admin' => [ // 1.32+
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'bot' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'default' => [
'MinimalPasswordLength' => [ 'value' => 8, 'suggestChangeOnLogin' => true ], // 1.40+
'PasswordCannotBeSubstringInUsername' => [ // 1.35+
'value' => true,
'suggestChangeOnLogin' => true
],
'PasswordCannotMatchDefaults' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.35+
'MaximalPasswordLength' => [ 'value' => 4096, 'suggestChangeOnLogin' => true ], // 1.33+
'PasswordNotInCommonList' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.35+
],
],
'checks' => [
'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
'PasswordCannotBeSubstringInUsername' =>
'PasswordPolicyChecks::checkPasswordCannotBeSubstringInUsername', // 1.35+
'PasswordCannotMatchDefaults' => 'PasswordPolicyChecks::checkPasswordCannotMatchDefaults', // 1.35+
'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
'PasswordNotInCommonList' => 'PasswordPolicyChecks::checkPasswordNotInCommonList', // 1.35+
],
];
$wgPasswordPolicy = [
'policies' => [
'bureaucrat' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'sysop' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'interface-admin' => [ // 1.32+
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'bot' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'default' => [
'MinimalPasswordLength' => [ 'value' => 1, 'suggestChangeOnLogin' => true ], // 1.33+
'PasswordCannotBeSubstringInUsername' => [ // 1.35+
'value' => true,
'suggestChangeOnLogin' => true
],
'PasswordCannotMatchDefaults' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.35+
'MaximalPasswordLength' => [ 'value' => 4096, 'suggestChangeOnLogin' => true ], // 1.33+
'PasswordNotInCommonList' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.35+
],
],
'checks' => [
'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
'PasswordCannotBeSubstringInUsername' =>
'PasswordPolicyChecks::checkPasswordCannotBeSubstringInUsername', // 1.35+
'PasswordCannotMatchDefaults' => 'PasswordPolicyChecks::checkPasswordCannotMatchDefaults', // 1.35+
'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
'PasswordNotInCommonList' => 'PasswordPolicyChecks::checkPasswordNotInCommonList', // 1.35+
],
];
$wgPasswordPolicy = [
'policies' => [
'bureaucrat' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'sysop' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'interface-admin' => [ // 1.32+
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'bot' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'default' => [
'MinimalPasswordLength' => [ 'value' => 1, 'suggestChangeOnLogin' => true ], // 1.33+
'PasswordCannotMatchUsername' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.33+
'PasswordCannotBeSubstringInUsername' => [ // 1.35+
'value' => true,
'suggestChangeOnLogin' => true
],
'PasswordCannotMatchDefaults' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.35+
'MaximalPasswordLength' => [ 'value' => 4096, 'suggestChangeOnLogin' => true ], // 1.33+
'PasswordNotInCommonList' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.35+
],
],
'checks' => [
'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
'PasswordCannotBeSubstringInUsername' =>
'PasswordPolicyChecks::checkPasswordCannotBeSubstringInUsername', // 1.35+
'PasswordCannotMatchDefaults' => 'PasswordPolicyChecks::checkPasswordCannotMatchDefaults', // 1.35+
'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
'PasswordNotInCommonList' => 'PasswordPolicyChecks::checkPasswordNotInCommonList', // 1.35+
],
];
$wgPasswordPolicy = [
'policies' => [
'bureaucrat' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'sysop' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'interface-admin' => [ // 1.32+
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'bot' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'default' => [
'MinimalPasswordLength' => [ 'value' => 1, 'suggestChangeOnLogin' => true ], // 1.33+
'PasswordCannotMatchUsername' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.33+
'PasswordCannotBeSubstringInUsername' => [ // 1.35+
'value' => true,
'suggestChangeOnLogin' => true
],
'PasswordCannotMatchDefaults' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.35+
'MaximalPasswordLength' => [ 'value' => 4096, 'suggestChangeOnLogin' => true ], // 1.33+
'PasswordNotInCommonList' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.35+
],
],
'checks' => [
'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
'PasswordCannotBeSubstringInUsername' =>
'PasswordPolicyChecks::checkPasswordCannotBeSubstringInUsername', // 1.35+
'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchDefaults', // 1.35
'PasswordCannotMatchDefaults' => 'PasswordPolicyChecks::checkPasswordCannotMatchDefaults', // 1.35+
'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
'PasswordNotInLargeBlacklist' => 'PasswordPolicyChecks::checkPasswordNotInCommonList', // 1.35
'PasswordNotInCommonList' => 'PasswordPolicyChecks::checkPasswordNotInCommonList', // 1.35+
],
];
$wgPasswordPolicy = [
'policies' => [
'bureaucrat' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'sysop' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'interface-admin' => [ // 1.32+
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'bot' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'default' => [
'MinimalPasswordLength' => [ 'value' => 1, 'suggestChangeOnLogin' => true ], // 1.33+
'PasswordCannotMatchUsername' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.33+
'PasswordCannotMatchBlacklist' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.33+
'MaximalPasswordLength' => [ 'value' => 4096, 'suggestChangeOnLogin' => true ], // 1.33+
'PasswordNotInLargeBlacklist' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.34+
],
],
'checks' => [
'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchBlacklist',
'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
'PasswordCannotBePopular' => 'PasswordPolicyChecks::checkPopularPasswordBlacklist', // 1.27+
'PasswordNotInLargeBlacklist' => 'PasswordPolicyChecks::checkPasswordNotInLargeBlacklist', // 1.33+
],
];
$wgPasswordPolicy = [
'policies' => [
'bureaucrat' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
'PasswordNotInLargeBlacklist' => true, // 1.33
],
'sysop' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
'PasswordNotInLargeBlacklist' => true, // 1.33
],
'interface-admin' => [ // 1.32+
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
'PasswordNotInLargeBlacklist' => true, // 1.33
],
'bot' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
'PasswordNotInLargeBlacklist' => true, // 1.33
],
'default' => [
'MinimalPasswordLength' => [ 'value' => 1, 'suggestChangeOnLogin' => true ], // 1.33+
'PasswordCannotMatchUsername' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.33+
'PasswordCannotMatchBlacklist' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.33+
'MaximalPasswordLength' => [ 'value' => 4096, 'suggestChangeOnLogin' => true ], // 1.33+
],
],
'checks' => [
'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchBlacklist',
'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
'PasswordCannotBePopular' => 'PasswordPolicyChecks::checkPopularPasswordBlacklist', // 1.27+
'PasswordNotInLargeBlacklist' => 'PasswordPolicyChecks::checkPasswordNotInLargeBlacklist', // 1.33+
],
];
$wgPasswordPolicy = [
'policies' => [
'bureaucrat' => [
'MinimalPasswordLength' => 8,
'MinimumPasswordLengthToLogin' => 1,
'PasswordCannotMatchUsername' => true,
'PasswordCannotBePopular' => 25, // 1.27+
],
'sysop' => [
'MinimalPasswordLength' => 8,
'MinimumPasswordLengthToLogin' => 1,
'PasswordCannotMatchUsername' => true,
'PasswordCannotBePopular' => 25, // 1.27+
],
'interface-admin' => [ // 1.32+
'MinimalPasswordLength' => 8,
'MinimumPasswordLengthToLogin' => 1,
'PasswordCannotMatchUsername' => true,
'PasswordCannotBePopular' => 25,
],
'bot' => [
'MinimalPasswordLength' => 8,
'MinimumPasswordLengthToLogin' => 1,
'PasswordCannotMatchUsername' => true,
],
'default' => [
'MinimalPasswordLength' => 1,
'PasswordCannotMatchUsername' => true,
'PasswordCannotMatchBlacklist' => true,
'MaximalPasswordLength' => 4096,
],
],
'checks' => [
'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchBlacklist',
'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
'PasswordCannotBePopular' => 'PasswordPolicyChecks::checkPopularPasswordBlacklist' // 1.27+
],
];
$wgPasswordPolicy = [
'policies' => [
'bureaucrat' => [
'MinimalPasswordLength' => 8,
'MinimumPasswordLengthToLogin' => 1,
'PasswordCannotMatchUsername' => true,
'PasswordCannotBePopular' => 25, // 1.27+
],
'sysop' => [
'MinimalPasswordLength' => 8,
'MinimumPasswordLengthToLogin' => 1,
'PasswordCannotMatchUsername' => true,
'PasswordCannotBePopular' => 25, // 1.27+
],
'bot' => [
'MinimalPasswordLength' => 8,
'MinimumPasswordLengthToLogin' => 1,
'PasswordCannotMatchUsername' => true,
],
'default' => [
'MinimalPasswordLength' => 1,
'PasswordCannotMatchUsername' => true,
'PasswordCannotMatchBlacklist' => true,
'MaximalPasswordLength' => 4096,
],
],
'checks' => [
'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchBlacklist',
'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
'PasswordCannotBePopular' => 'PasswordPolicyChecks::checkPopularPasswordBlacklist' // 1.27+
],
];
$wgPasswordPolicy = array(
'policies' => array(
'bureaucrat' => array(
'MinimalPasswordLength' => 8,
'MinimumPasswordLengthToLogin' => 1,
'PasswordCannotMatchUsername' => true,
),
'sysop' => array(
'MinimalPasswordLength' => 8,
'MinimumPasswordLengthToLogin' => 1,
'PasswordCannotMatchUsername' => true,
),
'bot' => array(
'MinimalPasswordLength' => 8,
'MinimumPasswordLengthToLogin' => 1,
'PasswordCannotMatchUsername' => true,
),
'default' => array(
'MinimalPasswordLength' => 1,
'PasswordCannotMatchUsername' => true,
'PasswordCannotMatchBlacklist' => true,
'MaximalPasswordLength' => 4096,
),
),
'checks' => array(
'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchBlacklist',
'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
),
);
|