Manual:$wgPasswordPolicy
| User accounts, authentication: $wgPasswordPolicy | |
|---|---|
| Specifies various settings related to password strength and security. |
|
| Introduced in version: | 1.26.0 (Gerrit change 206156; git #1a20dc) |
| Removed in version: | still in use |
| Allowed values: | see below |
| Default value: | see below |
| Other settings: Alphabetical | By function | |
DetailsEdit
A password policy is of the form
$wgPasswordPolicy = [
'policies' => [
'group1' => [
'check1' => 'value1',
// ...
],
// ...
],
'checks' => [
'check1' => 'callable1',
// ...
],
];
group1etc. are user groups, plus the special groupdefaultwhich is required to be present and applies to everyone.check1etc. are arbitrary check names, defined in thecheckssubarray.value1etc. are policy values, passed to the appropriate callback defined in thecheckssubarray. If the same check applies to a user via multiple groups, it will be applied with themax()of the values.- Alternatively,
value1could be an array with the fieldsvalue(same as above),suggestChangeOnLogin(when set to true, users will be shown a password change form during login if the check fails) andforceChange(likesuggestChangeOnLoginbut the form cannot be skipped).
- Alternatively,
callable1etc. are PHP callables, which receive three arguments: the defined value, the User object and the password, and return a StatusValue. A fatal status means the password can't be used, even for login; a non-fatal error means the value is not accepted as a new password (on account creation or password change), but can be used for login; the user will be shown a (skippable) password change form. Default checks (found inincludes/password/PasswordPolicyChecks.php):MinimalPasswordLength- Minimum length a user can setMinimumPasswordLengthToLogin- Passwords shorter than this will not be allowed to login, regardless if it is correct.MaximalPasswordLength- Maximum length password a user is allowed to attempt. Prevents DoS attacks with pbkdf2.PasswordCannotMatchUsername- Password cannot match usernamePasswordCannotBeSubstringInUsernameYour password must not appear within your username.PasswordCannotMatchBlacklist- Blacklists some passwords which have been used by MediaWiki unit tests in the past.PasswordCannotBePopular- Blacklist passwords which are known to be commonly chosen. Set to integer n to ban the top n passwords. If you want to ban all common passwords on file, use thePHP_INT_MAXconstant. See also $wgPopularPasswordFile (the default file comes with MediaWiki and has 10K passwords).
Note: Removed in MW 1.35+, use PasswordNotInCommonListinstead.PasswordNotInLargeBlacklist- Same as the previous one, except uses the larger blacklist that comes with the wikimedia/password-blacklist library. Note: Deprecated in MW 1.35+, use PasswordNotInCommonListinstead.PasswordNotInCommonList- Password not in best practices list of 100,000 commonly used passwords.
ExamplesEdit
This example shows how to change selected policies for all users:
$wgPasswordPolicy['policies']['default']['MinimalPasswordLength'] = 10;
$wgPasswordPolicy['policies']['default']['MaximalPasswordLength'] = 128;
$wgPasswordPolicy['policies']['default']['PasswordCannotMatchUsername']['value'] = false;
This example shows how to change selected policies for users of the "sysop" group:
$wgPasswordPolicy['policies']['sysop']['MinimumPasswordLengthToLogin'] = 10;
$wgPasswordPolicy['policies']['sysop']['MinimalPasswordLength'] = 20;
Disabling all password policiesEdit
For development machines, it might be helpful to disable all password policies, which can be done with the following line:
 Warning: | You should never use this on production sites as it reduces the security of your wiki. It should only be used for test/development sites which do not hold any sensitive data. |
$wgPasswordPolicy = [ 'policies' => [ 'default' => [] ], 'checks' => [] ];
DefaultEdit
| MediaWiki version: | ≥ 1.37 |
$wgPasswordPolicy = [
'policies' => [
'bureaucrat' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'sysop' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'interface-admin' => [ // 1.32+
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'bot' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'default' => [
'MinimalPasswordLength' => [ 'value' => 1, 'suggestChangeOnLogin' => true ], // 1.33+
'PasswordCannotBeSubstringInUsername' => [ // 1.35+
'value' => true,
'suggestChangeOnLogin' => true
],
'PasswordCannotMatchDefaults' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.35+
'MaximalPasswordLength' => [ 'value' => 4096, 'suggestChangeOnLogin' => true ], // 1.33+
'PasswordNotInCommonList' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.35+
],
],
'checks' => [
'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
'PasswordCannotBeSubstringInUsername' =>
'PasswordPolicyChecks::checkPasswordCannotBeSubstringInUsername', // 1.35+
'PasswordCannotMatchDefaults' => 'PasswordPolicyChecks::checkPasswordCannotMatchDefaults', // 1.35+
'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
'PasswordNotInCommonList' => 'PasswordPolicyChecks::checkPasswordNotInCommonList', // 1.35+
],
];
| MediaWiki version: | ≥ 1.36 |
$wgPasswordPolicy = [
'policies' => [
'bureaucrat' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'sysop' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'interface-admin' => [ // 1.32+
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'bot' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'default' => [
'MinimalPasswordLength' => [ 'value' => 1, 'suggestChangeOnLogin' => true ], // 1.33+
'PasswordCannotMatchUsername' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.33+
'PasswordCannotBeSubstringInUsername' => [ // 1.35+
'value' => true,
'suggestChangeOnLogin' => true
],
'PasswordCannotMatchDefaults' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.35+
'MaximalPasswordLength' => [ 'value' => 4096, 'suggestChangeOnLogin' => true ], // 1.33+
'PasswordNotInCommonList' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.35+
],
],
'checks' => [
'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
'PasswordCannotBeSubstringInUsername' =>
'PasswordPolicyChecks::checkPasswordCannotBeSubstringInUsername', // 1.35+
'PasswordCannotMatchDefaults' => 'PasswordPolicyChecks::checkPasswordCannotMatchDefaults', // 1.35+
'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
'PasswordNotInCommonList' => 'PasswordPolicyChecks::checkPasswordNotInCommonList', // 1.35+
],
];
| MediaWiki version: | 1.35 |
$wgPasswordPolicy = [
'policies' => [
'bureaucrat' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'sysop' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'interface-admin' => [ // 1.32+
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'bot' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'default' => [
'MinimalPasswordLength' => [ 'value' => 1, 'suggestChangeOnLogin' => true ], // 1.33+
'PasswordCannotMatchUsername' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.33+
'PasswordCannotBeSubstringInUsername' => [ // 1.35+
'value' => true,
'suggestChangeOnLogin' => true
],
'PasswordCannotMatchDefaults' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.35+
'MaximalPasswordLength' => [ 'value' => 4096, 'suggestChangeOnLogin' => true ], // 1.33+
'PasswordNotInCommonList' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.35+
],
],
'checks' => [
'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
'PasswordCannotBeSubstringInUsername' =>
'PasswordPolicyChecks::checkPasswordCannotBeSubstringInUsername', // 1.35+
'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchDefaults', // 1.35
'PasswordCannotMatchDefaults' => 'PasswordPolicyChecks::checkPasswordCannotMatchDefaults', // 1.35+
'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
'PasswordNotInLargeBlacklist' => 'PasswordPolicyChecks::checkPasswordNotInCommonList', // 1.35
'PasswordNotInCommonList' => 'PasswordPolicyChecks::checkPasswordNotInCommonList', // 1.35+
],
];
| MediaWiki version: | 1.34 |
$wgPasswordPolicy = [
'policies' => [
'bureaucrat' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'sysop' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'interface-admin' => [ // 1.32+
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'bot' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
],
'default' => [
'MinimalPasswordLength' => [ 'value' => 1, 'suggestChangeOnLogin' => true ], // 1.33+
'PasswordCannotMatchUsername' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.33+
'PasswordCannotMatchBlacklist' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.33+
'MaximalPasswordLength' => [ 'value' => 4096, 'suggestChangeOnLogin' => true ], // 1.33+
'PasswordNotInLargeBlacklist' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.34+
],
],
'checks' => [
'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchBlacklist',
'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
'PasswordCannotBePopular' => 'PasswordPolicyChecks::checkPopularPasswordBlacklist', // 1.27+
'PasswordNotInLargeBlacklist' => 'PasswordPolicyChecks::checkPasswordNotInLargeBlacklist', // 1.33+
],
];
| MediaWiki version: | 1.33 |
$wgPasswordPolicy = [
'policies' => [
'bureaucrat' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
'PasswordNotInLargeBlacklist' => true, // 1.33
],
'sysop' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
'PasswordNotInLargeBlacklist' => true, // 1.33
],
'interface-admin' => [ // 1.32+
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
'PasswordNotInLargeBlacklist' => true, // 1.33
],
'bot' => [
'MinimalPasswordLength' => 10, // 1.33+
'MinimumPasswordLengthToLogin' => 1,
'PasswordNotInLargeBlacklist' => true, // 1.33
],
'default' => [
'MinimalPasswordLength' => [ 'value' => 1, 'suggestChangeOnLogin' => true ], // 1.33+
'PasswordCannotMatchUsername' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.33+
'PasswordCannotMatchBlacklist' => [ 'value' => true, 'suggestChangeOnLogin' => true ], // 1.33+
'MaximalPasswordLength' => [ 'value' => 4096, 'suggestChangeOnLogin' => true ], // 1.33+
],
],
'checks' => [
'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchBlacklist',
'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
'PasswordCannotBePopular' => 'PasswordPolicyChecks::checkPopularPasswordBlacklist', // 1.27+
'PasswordNotInLargeBlacklist' => 'PasswordPolicyChecks::checkPasswordNotInLargeBlacklist', // 1.33+
],
];
| MediaWiki version: | 1.32 |
$wgPasswordPolicy = [
'policies' => [
'bureaucrat' => [
'MinimalPasswordLength' => 8,
'MinimumPasswordLengthToLogin' => 1,
'PasswordCannotMatchUsername' => true,
'PasswordCannotBePopular' => 25, // 1.27+
],
'sysop' => [
'MinimalPasswordLength' => 8,
'MinimumPasswordLengthToLogin' => 1,
'PasswordCannotMatchUsername' => true,
'PasswordCannotBePopular' => 25, // 1.27+
],
'interface-admin' => [ // 1.32+
'MinimalPasswordLength' => 8,
'MinimumPasswordLengthToLogin' => 1,
'PasswordCannotMatchUsername' => true,
'PasswordCannotBePopular' => 25,
],
'bot' => [
'MinimalPasswordLength' => 8,
'MinimumPasswordLengthToLogin' => 1,
'PasswordCannotMatchUsername' => true,
],
'default' => [
'MinimalPasswordLength' => 1,
'PasswordCannotMatchUsername' => true,
'PasswordCannotMatchBlacklist' => true,
'MaximalPasswordLength' => 4096,
],
],
'checks' => [
'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchBlacklist',
'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
'PasswordCannotBePopular' => 'PasswordPolicyChecks::checkPopularPasswordBlacklist' // 1.27+
],
];
| MediaWiki versions: | 1.27 – 1.31 |
$wgPasswordPolicy = [
'policies' => [
'bureaucrat' => [
'MinimalPasswordLength' => 8,
'MinimumPasswordLengthToLogin' => 1,
'PasswordCannotMatchUsername' => true,
'PasswordCannotBePopular' => 25, // 1.27+
],
'sysop' => [
'MinimalPasswordLength' => 8,
'MinimumPasswordLengthToLogin' => 1,
'PasswordCannotMatchUsername' => true,
'PasswordCannotBePopular' => 25, // 1.27+
],
'bot' => [
'MinimalPasswordLength' => 8,
'MinimumPasswordLengthToLogin' => 1,
'PasswordCannotMatchUsername' => true,
],
'default' => [
'MinimalPasswordLength' => 1,
'PasswordCannotMatchUsername' => true,
'PasswordCannotMatchBlacklist' => true,
'MaximalPasswordLength' => 4096,
],
],
'checks' => [
'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchBlacklist',
'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
'PasswordCannotBePopular' => 'PasswordPolicyChecks::checkPopularPasswordBlacklist' // 1.27+
],
];
| MediaWiki version: | 1.26 |
$wgPasswordPolicy = array(
'policies' => array(
'bureaucrat' => array(
'MinimalPasswordLength' => 8,
'MinimumPasswordLengthToLogin' => 1,
'PasswordCannotMatchUsername' => true,
),
'sysop' => array(
'MinimalPasswordLength' => 8,
'MinimumPasswordLengthToLogin' => 1,
'PasswordCannotMatchUsername' => true,
),
'bot' => array(
'MinimalPasswordLength' => 8,
'MinimumPasswordLengthToLogin' => 1,
'PasswordCannotMatchUsername' => true,
),
'default' => array(
'MinimalPasswordLength' => 1,
'PasswordCannotMatchUsername' => true,
'PasswordCannotMatchBlacklist' => true,
'MaximalPasswordLength' => 4096,
),
),
'checks' => array(
'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchBlacklist',
'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
),
);