[Bug 16435] New extension to enforce minimum password strength.
https://bugzilla.wikimedia.org/show_bug.cgi?id=16435 Helder changed: What|Removed |Added See Also||https://bugzilla.wikimedia. ||org/show_bug.cgi?id=25925 -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16435] New extension to enforce minimum password strength.
https://bugzilla.wikimedia.org/show_bug.cgi?id=16435 Chad H. changed: What|Removed |Added CC|innocentkil...@gmail.com| -- You are receiving this mail because: You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16435] New extension to enforce minimum password strength.
https://bugzilla.wikimedia.org/show_bug.cgi?id=16435 --- Comment #11 from Matthew Flaschen --- I've opened bug 44788 so we can specifically track that issue. It's currently sort of in SecurePasswords, though there is no component for that. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16435] New extension to enforce minimum password strength.
https://bugzilla.wikimedia.org/show_bug.cgi?id=16435 Matthew Flaschen changed: What|Removed |Added See Also||https://bugzilla.wikimedia. ||org/show_bug.cgi?id=44788 -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16435] New extension to enforce minimum password strength.
https://bugzilla.wikimedia.org/show_bug.cgi?id=16435 MZMcBride changed: What|Removed |Added Status|RESOLVED|REOPENED CC||b...@mzmcbride.com Resolution|FIXED |--- --- Comment #10 from MZMcBride --- This bug doesn't feel fixed to me. In particular, this piece: (In reply to comment #0) > * enforce varying levels of password security by user group (ie admins have an > intermediate level, stewards must have a high level) doesn't appear to have been addressed. Re-opening for now. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16435] New extension to enforce minimum password strength.
https://bugzilla.wikimedia.org/show_bug.cgi?id=16435 Matthew Flaschen changed: What|Removed |Added CC||mflasc...@wikimedia.org --- Comment #9 from Matthew Flaschen --- Note that wgLivePasswordStrengthChecks was removed. See https://www.mediawiki.org/wiki/Manual:$wgLivePasswordStrengthChecks -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16435] New extension to enforce minimum password strength.
https://bugzilla.wikimedia.org/show_bug.cgi?id=16435 Chad H. changed: What|Removed |Added Status|NEW |RESOLVED Resolution||FIXED --- Comment #8 from Chad H. 2010-12-04 18:59:44 UTC --- I think between those two things we can call this FIXED. Issues or enhancements with either should go as their own bugs. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16435] New extension to enforce minimum password strength.
https://bugzilla.wikimedia.org/show_bug.cgi?id=16435 DieBuche changed: What|Removed |Added CC||diebu...@gmail.com --- Comment #7 from DieBuche 2010-12-04 18:58:00 UTC --- http://www.mediawiki.org/wiki/Manual:$wgLivePasswordStrengthChecks and http://www.mediawiki.org/wiki/Extension:SecurePasswords -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16435] New extension to enforce minimum password strength.
https://bugzilla.wikimedia.org/show_bug.cgi?id=16435 --- Comment #6 from Thomas Bertels 2009-05-05 09:00:35 UTC --- (In reply to comment #4) > (In reply to comment #3) > > Since there's a captcha after 3 attempts and a temporary lockout after 3 (or > > so) more attempts, I'm not sure if it's a good idea to enforce that much > > brute > > force or dictionary resistant passwords. > > Too strong passwords would be difficult for the users to remember. > > What about just letting the user know about his/her password strength ? > > > Yes, that'd be nice too. I know of several sites which have a password strengh > indicator beside the input which changes as you're typing from "empty" in grey > -> "weak" in red -> "OK" in yellow -> "strong" in green using AJAX. It could even be done by JavaScript only, by the way (unless we check against a dictionary). > > However, since the compromised accounts passwords were either the same as > > the > > login or just "password", those are basic rules to improve password strength > > (they are probably already active). > > > I'm not sure what you mean here... Are there already restrictions on using > "password" as the password, or using your username as the password? That good, > but we can do better. > I mean that we should just require passwords different from the username, and forbid passwords like "password" or so. Requiring very strong passwords (like letters + numbers) would be an unnecessary annoyance for the user. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16435] New extension to enforce minimum password strength.
https://bugzilla.wikimedia.org/show_bug.cgi?id=16435 ^demon changed: What|Removed |Added CC||innocentkil...@gmail.com --- Comment #5 from ^demon 2009-02-19 19:58:53 UTC --- Fwiw, I've already got an extension in SVN (PasswordStrength) that requires some heuristics on changing password. Maybe the features described here could be incorporated? -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16435] New extension to enforce minimum password strength.
https://bugzilla.wikimedia.org/show_bug.cgi?id=16435 --- Comment #4 from Mike.lifeguard 2009-02-19 17:41:33 UTC --- (In reply to comment #3) > Since there's a captcha after 3 attempts and a temporary lockout after 3 (or > so) more attempts, I'm not sure if it's a good idea to enforce that much brute > force or dictionary resistant passwords. > Too strong passwords would be difficult for the users to remember. > What about just letting the user know about his/her password strength ? > Yes, that'd be nice too. I know of several sites which have a password strengh indicator beside the input which changes as you're typing from "empty" in grey -> "weak" in red -> "OK" in yellow -> "strong" in green using AJAX. > However, since the compromised accounts passwords were either the same as the > login or just "password", those are basic rules to improve password strength > (they are probably already active). > I'm not sure what you mean here... Are there already restrictions on using "password" as the password, or using your username as the password? That good, but we can do better. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16435] New extension to enforce minimum password strength.
https://bugzilla.wikimedia.org/show_bug.cgi?id=16435 Thomas Bertels changed: What|Removed |Added CC||tbertels+bugzi...@gmail.com --- Comment #3 from Thomas Bertels 2009-02-19 17:17:18 UTC --- (In reply to comment #2) > Yes, but this should verify password /strength/ > > For example, on the toolserver, you cannot set a password with dictionary > words > (longer than X chars, I think), and you must include 3 of 4 character classes > or something (lower case, uppercase, numbers, special chars...?). And so on > (presumably the programmers know better than I do what makes a strong > password). > Since there's a captcha after 3 attempts and a temporary lockout after 3 (or so) more attempts, I'm not sure if it's a good idea to enforce that much brute force or dictionary resistant passwords. Too strong passwords would be difficult for the users to remember. What about just letting the user know about his/her password strength ? However, since the compromised accounts passwords were either the same as the login or just "password", those are basic rules to improve password strength (they are probably already active). -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16435] New extension to enforce minimum password strength.
https://bugzilla.wikimedia.org/show_bug.cgi?id=16435 Mike.lifeguard changed: What|Removed |Added CC||mikelifegu...@fastmail.fm --- Comment #2 from Mike.lifeguard 2008-12-18 04:14:17 UTC --- (In reply to comment #1) > Note: Minimal password lenght is already configurable with > $wgMinimalPasswordLength > (http://www.mediawiki.org/wiki/Manual:$wgMinimalPasswordLength). > Yes, but this should verify password /strength/ For example, on the toolserver, you cannot set a password with dictionary words (longer than X chars, I think), and you must include 3 of 4 character classes or something (lower case, uppercase, numbers, special chars...?). And so on (presumably the programmers know better than I do what makes a strong password). -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 16435] New extension to enforce minimum password strength.
https://bugzilla.wikimedia.org/show_bug.cgi?id=16435 Alexandre Emsenhuber [IAlex] <[EMAIL PROTECTED]> changed: What|Removed |Added CC||[EMAIL PROTECTED] --- Comment #1 from Alexandre Emsenhuber [IAlex] <[EMAIL PROTECTED]> 2008-11-27 22:06:08 UTC --- Note: Minimal password lenght is already configurable with $wgMinimalPasswordLength (http://www.mediawiki.org/wiki/Manual:$wgMinimalPasswordLength). -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l