Manual:$wgPasswordPolicy

User accounts, authentication: $wgPasswordPolicy
Specifies various settings related to password strength and security.
Introduced in version:1.26.0 (Gerrit change 206156; git #1a20dc)
Removed in version:Still in use
Allowed values:see below
Default value:see below

Details

edit

A password policy is of the form

$wgPasswordPolicy = [
    'policies' => [
        'group1' => [
            'check1' => 'value1',
            // ...
        ],
        // ...
    ],
    'checks' => [
        'check1' => 'callable1',
        // ...
    ],
];
  • group1 etc. are user groups, plus the special group default which is required to be present and applies to everyone.
  • check1 etc. are arbitrary check names, defined in the checks subarray.
  • value1 etc. are policy values, passed to the appropriate callback defined in the checks subarray. If the same check applies to a user via multiple groups, it will be applied with the max() of the values.
    • Alternatively, value1 could be an array with the fields value (same as above), suggestChangeOnLogin (when set to true, users will be shown a password change form during login if the check fails) and forceChange (like suggestChangeOnLogin but the form cannot be skipped).
  • callable1 etc. are PHP callables, which receive three arguments: the defined value, the User object and the password, and return a StatusValue. A fatal status means the password can't be used, even for login; a non-fatal error means the value is not accepted as a new password (on account creation or password change), but can be used for login; the user will be shown a (skippable) password change form.
  • Default checks (found in includes/password/PasswordPolicyChecks.php):
    • MinimalPasswordLength — Minimum length a user can set
    • MinimumPasswordLengthToLogin — Passwords shorter than this will not be allowed to login, regardless if it is correct.
    • MaximalPasswordLength — Maximum length password a user is allowed to attempt. Prevents DoS attacks with pbkdf2.
    • PasswordCannotMatchUsername — Password cannot match username
    • PasswordCannotBeSubstringInUsername — Your password must not appear within your username.
    • PasswordCannotMatchBlacklist — Blacklists some passwords which have been used by MediaWiki unit tests in the past.
    • PasswordCannotBePopular — Blacklist passwords which are known to be commonly chosen. Set to integer n to ban the top n passwords. If you want to ban all common passwords on file, use the PHP_INT_MAX constant. See also $wgPopularPasswordFile (the default file comes with MediaWiki and has 10K passwords).
        Note: (removed in 1.35) Use PasswordNotInCommonList instead.
    • PasswordNotInLargeBlacklist — Same as the previous one, except uses the larger blacklist that comes with the wikimedia/password-blacklist library.
        Note: (deprecated in 1.35) Use PasswordNotInCommonList instead.
    • PasswordNotInCommonList — Password not in best practices list of 100,000 commonly used passwords.

Examples

edit

This example shows how to change selected policies for all users:

$wgPasswordPolicy['policies']['default']['MinimalPasswordLength'] = 10;
$wgPasswordPolicy['policies']['default']['MaximalPasswordLength'] = 128;
$wgPasswordPolicy['policies']['default']['PasswordCannotMatchUsername']['value'] = false;

This example shows how to change selected policies for users of the "sysop" group:

$wgPasswordPolicy['policies']['sysop']['MinimumPasswordLengthToLogin'] = 10;
$wgPasswordPolicy['policies']['sysop']['MinimalPasswordLength'] = 20;

Disabling all password policies

edit

For development machines, it might be helpful to disable all password policies, which can be done with the following line:

  Warning: You should never use this on production sites as it reduces the security of your wiki. It should only be used for test/development sites which do not hold any sensitive data.
$wgPasswordPolicy = [ 'policies' => [ 'default' => [] ], 'checks' => [] ];

Default

edit
MediaWiki version:
1.43
$wgPasswordPolicy = [
	'policies' => [
		'bureaucrat' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'sysop' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'interface-admin' => [	// 1.32+
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'bot' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'default' => [
			'MinimalPasswordLength' => [ 'value' => 8, 'suggestChangeOnLogin' => true ],	// 1.40+
			'PasswordCannotBeSubstringInUsername' => [	// 1.35+
				'value' => true,
				'suggestChangeOnLogin' => true
			],
			'PasswordCannotMatchDefaults' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.35+
			'MaximalPasswordLength' => [ 'value' => 4096, 'suggestChangeOnLogin' => true ],	// 1.33+
			'PasswordNotInCommonList' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.35+
		],
	],
	'checks' => [
		'MinimalPasswordLength' => [ PasswordPolicyChecks::class, 'checkMinimalPasswordLength' ],
		'MinimumPasswordLengthToLogin' => [ PasswordPolicyChecks::class, 'checkMinimumPasswordLengthToLogin' ],
		'PasswordCannotBeSubstringInUsername' => [ PasswordPolicyChecks::class, 'checkPasswordCannotBeSubstringInUsername' ],
		'PasswordCannotMatchDefaults' => [ PasswordPolicyChecks::class, 'checkPasswordCannotMatchDefaults' ],
		'MaximalPasswordLength' => [ PasswordPolicyChecks::class, 'checkMaximalPasswordLength' ],
		'PasswordNotInCommonList' => [ PasswordPolicyChecks::class, 'checkPasswordNotInCommonList' ],
	],
];
MediaWiki versions:
1.40 – 1.42
$wgPasswordPolicy = [
	'policies' => [
		'bureaucrat' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'sysop' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'interface-admin' => [	// 1.32+
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'bot' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'default' => [
			'MinimalPasswordLength' => [ 'value' => 8, 'suggestChangeOnLogin' => true ],	// 1.40+
			'PasswordCannotBeSubstringInUsername' => [	// 1.35+
				'value' => true,
				'suggestChangeOnLogin' => true
			],
			'PasswordCannotMatchDefaults' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.35+
			'MaximalPasswordLength' => [ 'value' => 4096, 'suggestChangeOnLogin' => true ],	// 1.33+
			'PasswordNotInCommonList' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.35+
		],
	],
	'checks' => [
		'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
		'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
		'PasswordCannotBeSubstringInUsername' =>
			'PasswordPolicyChecks::checkPasswordCannotBeSubstringInUsername',	// 1.35+
		'PasswordCannotMatchDefaults' => 'PasswordPolicyChecks::checkPasswordCannotMatchDefaults',	// 1.35+
		'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
		'PasswordNotInCommonList' => 'PasswordPolicyChecks::checkPasswordNotInCommonList',	// 1.35+
	],
];
MediaWiki version:
1.37
$wgPasswordPolicy = [
	'policies' => [
		'bureaucrat' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'sysop' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'interface-admin' => [	// 1.32+
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'bot' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'default' => [
			'MinimalPasswordLength' => [ 'value' => 1, 'suggestChangeOnLogin' => true ],	// 1.33+
			'PasswordCannotBeSubstringInUsername' => [	// 1.35+
				'value' => true,
				'suggestChangeOnLogin' => true
			],
			'PasswordCannotMatchDefaults' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.35+
			'MaximalPasswordLength' => [ 'value' => 4096, 'suggestChangeOnLogin' => true ],	// 1.33+
			'PasswordNotInCommonList' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.35+
		],
	],
	'checks' => [
		'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
		'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
		'PasswordCannotBeSubstringInUsername' =>
			'PasswordPolicyChecks::checkPasswordCannotBeSubstringInUsername',	// 1.35+
		'PasswordCannotMatchDefaults' => 'PasswordPolicyChecks::checkPasswordCannotMatchDefaults',	// 1.35+
		'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
		'PasswordNotInCommonList' => 'PasswordPolicyChecks::checkPasswordNotInCommonList',	// 1.35+
	],
];
MediaWiki version:
1.36
$wgPasswordPolicy = [
	'policies' => [
		'bureaucrat' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'sysop' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'interface-admin' => [	// 1.32+
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'bot' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'default' => [
			'MinimalPasswordLength' => [ 'value' => 1, 'suggestChangeOnLogin' => true ],	// 1.33+
			'PasswordCannotMatchUsername' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.33+
			'PasswordCannotBeSubstringInUsername' => [	// 1.35+
				'value' => true,
				'suggestChangeOnLogin' => true
			],
			'PasswordCannotMatchDefaults' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.35+
			'MaximalPasswordLength' => [ 'value' => 4096, 'suggestChangeOnLogin' => true ],	// 1.33+
			'PasswordNotInCommonList' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.35+
		],
	],
	'checks' => [
		'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
		'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
		'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
		'PasswordCannotBeSubstringInUsername' =>
			'PasswordPolicyChecks::checkPasswordCannotBeSubstringInUsername',	// 1.35+
		'PasswordCannotMatchDefaults' => 'PasswordPolicyChecks::checkPasswordCannotMatchDefaults',	// 1.35+
		'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
		'PasswordNotInCommonList' => 'PasswordPolicyChecks::checkPasswordNotInCommonList',	// 1.35+
	],
];
MediaWiki version:
1.35
$wgPasswordPolicy = [
	'policies' => [
		'bureaucrat' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'sysop' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'interface-admin' => [	// 1.32+
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'bot' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'default' => [
			'MinimalPasswordLength' => [ 'value' => 1, 'suggestChangeOnLogin' => true ],	// 1.33+
			'PasswordCannotMatchUsername' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.33+
			'PasswordCannotBeSubstringInUsername' => [	// 1.35+
				'value' => true,
				'suggestChangeOnLogin' => true
			],
			'PasswordCannotMatchDefaults' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.35+
			'MaximalPasswordLength' => [ 'value' => 4096, 'suggestChangeOnLogin' => true ],	// 1.33+
			'PasswordNotInCommonList' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.35+
		],
	],
	'checks' => [
		'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
		'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
		'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
		'PasswordCannotBeSubstringInUsername' =>
			'PasswordPolicyChecks::checkPasswordCannotBeSubstringInUsername',	// 1.35+
		'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchDefaults',	// 1.35
		'PasswordCannotMatchDefaults' => 'PasswordPolicyChecks::checkPasswordCannotMatchDefaults',	// 1.35+
		'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
		'PasswordNotInLargeBlacklist' => 'PasswordPolicyChecks::checkPasswordNotInCommonList',	// 1.35
		'PasswordNotInCommonList' => 'PasswordPolicyChecks::checkPasswordNotInCommonList',	// 1.35+
	],
];
MediaWiki version:
1.34
$wgPasswordPolicy = [
	'policies' => [
		'bureaucrat' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'sysop' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'interface-admin' => [	// 1.32+
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'bot' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'default' => [
			'MinimalPasswordLength' => [ 'value' => 1, 'suggestChangeOnLogin' => true ],	// 1.33+
			'PasswordCannotMatchUsername' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.33+
			'PasswordCannotMatchBlacklist' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.33+
			'MaximalPasswordLength' => [ 'value' => 4096, 'suggestChangeOnLogin' => true ],	// 1.33+
			'PasswordNotInLargeBlacklist' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.34+
		],
	],
	'checks' => [
		'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
		'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
		'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
		'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchBlacklist',
		'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
		'PasswordCannotBePopular' => 'PasswordPolicyChecks::checkPopularPasswordBlacklist',	// 1.27+
		'PasswordNotInLargeBlacklist' => 'PasswordPolicyChecks::checkPasswordNotInLargeBlacklist',	// 1.33+
	],
];
MediaWiki version:
1.33
$wgPasswordPolicy = [
	'policies' => [
		'bureaucrat' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordNotInLargeBlacklist' => true,	// 1.33
		],
		'sysop' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordNotInLargeBlacklist' => true,	// 1.33
		],
		'interface-admin' => [	// 1.32+
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordNotInLargeBlacklist' => true,	// 1.33
		],
		'bot' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordNotInLargeBlacklist' => true,	// 1.33
		],
		'default' => [
			'MinimalPasswordLength' => [ 'value' => 1, 'suggestChangeOnLogin' => true ],	// 1.33+
			'PasswordCannotMatchUsername' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.33+
			'PasswordCannotMatchBlacklist' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.33+
			'MaximalPasswordLength' => [ 'value' => 4096, 'suggestChangeOnLogin' => true ],	// 1.33+
		],
	],
	'checks' => [
		'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
		'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
		'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
		'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchBlacklist',
		'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
		'PasswordCannotBePopular' => 'PasswordPolicyChecks::checkPopularPasswordBlacklist',	// 1.27+
		'PasswordNotInLargeBlacklist' => 'PasswordPolicyChecks::checkPasswordNotInLargeBlacklist',	// 1.33+
	],
];
MediaWiki version:
1.32
$wgPasswordPolicy = [
	'policies' => [
		'bureaucrat' => [
			'MinimalPasswordLength' => 8,
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordCannotMatchUsername' => true,
			'PasswordCannotBePopular' => 25,	// 1.27+
		],
		'sysop' => [
			'MinimalPasswordLength' => 8,
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordCannotMatchUsername' => true,
			'PasswordCannotBePopular' => 25,	// 1.27+
		],
		'interface-admin' => [	// 1.32+
			'MinimalPasswordLength' => 8,
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordCannotMatchUsername' => true,
			'PasswordCannotBePopular' => 25,
		],
		'bot' => [
			'MinimalPasswordLength' => 8,
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordCannotMatchUsername' => true,
		],
		'default' => [
			'MinimalPasswordLength' => 1,
			'PasswordCannotMatchUsername' => true,
			'PasswordCannotMatchBlacklist' => true,
			'MaximalPasswordLength' => 4096,
		],
	],
	'checks' => [
		'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
		'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
		'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
		'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchBlacklist',
		'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
		'PasswordCannotBePopular' => 'PasswordPolicyChecks::checkPopularPasswordBlacklist'	// 1.27+
	],
];
MediaWiki versions:
1.27 – 1.31
$wgPasswordPolicy = [
	'policies' => [
		'bureaucrat' => [
			'MinimalPasswordLength' => 8,
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordCannotMatchUsername' => true,
			'PasswordCannotBePopular' => 25,	// 1.27+
		],
		'sysop' => [
			'MinimalPasswordLength' => 8,
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordCannotMatchUsername' => true,
			'PasswordCannotBePopular' => 25,	// 1.27+
		],
		'bot' => [
			'MinimalPasswordLength' => 8,
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordCannotMatchUsername' => true,
		],
		'default' => [
			'MinimalPasswordLength' => 1,
			'PasswordCannotMatchUsername' => true,
			'PasswordCannotMatchBlacklist' => true,
			'MaximalPasswordLength' => 4096,
		],
	],
	'checks' => [
		'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
		'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
		'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
		'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchBlacklist',
		'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
		'PasswordCannotBePopular' => 'PasswordPolicyChecks::checkPopularPasswordBlacklist'	// 1.27+
	],
];
MediaWiki version:
1.26
$wgPasswordPolicy = array(
	'policies' => array(
		'bureaucrat' => array(
			'MinimalPasswordLength' => 8,
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordCannotMatchUsername' => true,
		),
		'sysop' => array(
			'MinimalPasswordLength' => 8,
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordCannotMatchUsername' => true,
		),
		'bot' => array(
			'MinimalPasswordLength' => 8,
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordCannotMatchUsername' => true,
		),
		'default' => array(
			'MinimalPasswordLength' => 1,
			'PasswordCannotMatchUsername' => true,
			'PasswordCannotMatchBlacklist' => true,
			'MaximalPasswordLength' => 4096,
		),
	),
	'checks' => array(
		'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
		'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
		'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
		'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchBlacklist',
		'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
	),
);


See also

edit