Manual:$wgPasswordPolicy

From Linux Web Expert

The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
<translate> User accounts, authentication</translate>: $wgPasswordPolicy
Specifies various settings related to password strength and security.
<translate> Introduced in version:</translate>1.26.0 (Gerrit change 206156; git #1a20dc)
<translate> Removed in version:</translate><translate> still in use</translate>
<translate> Allowed values:</translate>see below
<translate> Default value:</translate>see below

Details

A password policy is of the form

$wgPasswordPolicy = [
    'policies' => [
        'group1' => [
            'check1' => 'value1',
            // ...
        ],
        // ...
    ],
    'checks' => [
        'check1' => 'callable1',
        // ...
    ],
];
  • group1 etc. are user groups, plus the special group default which is required to be present and applies to everyone.
  • check1 etc. are arbitrary check names, defined in the checks subarray.
  • value1 etc. are policy values, passed to the appropriate callback defined in the checks subarray. If the same check applies to a user via multiple groups, it will be applied with the max() of the values.
    • Alternatively, value1 could be an array with the fields value (same as above), suggestChangeOnLogin (when set to true, users will be shown a password change form during login if the check fails) and forceChange (like suggestChangeOnLogin but the form cannot be skipped).
  • callable1 etc. are PHP callables, which receive three arguments: the defined value, the User object and the password, and return a StatusValue. A fatal status means the password can't be used, even for login; a non-fatal error means the value is not accepted as a new password (on account creation or password change), but can be used for login; the user will be shown a (skippable) password change form.
  • Default checks (found in includes/password/PasswordPolicyChecks.php):
    • MinimalPasswordLength — Minimum length a user can set
    • MinimumPasswordLengthToLogin — Passwords shorter than this will not be allowed to login, regardless if it is correct.
    • MaximalPasswordLength — Maximum length password a user is allowed to attempt. Prevents DoS attacks with pbkdf2.
    • PasswordCannotMatchUsername — Password cannot match username
    • PasswordCannotBeSubstringInUsername — Your password must not appear within your username.
    • PasswordCannotMatchBlacklist — Blacklists some passwords which have been used by MediaWiki unit tests in the past.
    • PasswordCannotBePopular — Blacklist passwords which are known to be commonly chosen. Set to integer n to ban the top n passwords. If you want to ban all common passwords on file, use the PHP_INT_MAX constant. See also $wgPopularPasswordFile (the default file comes with MediaWiki and has 10K passwords).
      File:OOjs UI icon lightbulb-yellow.svg <translate> Note:</translate> <translate> (removed in <tvar name=2>1.35</tvar>)</translate> Use PasswordNotInCommonList instead.
    • PasswordNotInLargeBlacklist — Same as the previous one, except uses the larger blacklist that comes with the wikimedia/password-blacklist library.
      File:OOjs UI icon lightbulb-yellow.svg <translate> Note:</translate> <translate> (deprecated in <tvar name=2>1.35</tvar>)</translate> Use PasswordNotInCommonList instead.
    • PasswordNotInCommonList — Password not in best practices list of 100,000 commonly used passwords.

Examples

This example shows how to change selected policies for all users:

$wgPasswordPolicy['policies']['default']['MinimalPasswordLength'] = 10;
$wgPasswordPolicy['policies']['default']['MaximalPasswordLength'] = 128;
$wgPasswordPolicy['policies']['default']['PasswordCannotMatchUsername']['value'] = false;

This example shows how to change selected policies for users of the "sysop" group:

$wgPasswordPolicy['policies']['sysop']['MinimumPasswordLengthToLogin'] = 10;
$wgPasswordPolicy['policies']['sysop']['MinimalPasswordLength'] = 20;

Disabling all password policies

For development machines, it might be helpful to disable all password policies, which can be done with the following line:

File:OOjs UI icon notice-destructive.svg <translate> Warning:</translate> You should never use this on production sites as it reduces the security of your wiki. It should only be used for test/development sites which do not hold any sensitive data.
$wgPasswordPolicy = [ 'policies' => [ 'default' => [] ], 'checks' => [] ];

Default

<td class="mw-version-versionbox" title="<translate nowrap> The latest stable version is <tvar name=1>1.41</tvar></translate>">
<translate> ≥</translate> 1.40
<translate> MediaWiki version:</translate>
$wgPasswordPolicy = [
	'policies' => [
		'bureaucrat' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'sysop' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'interface-admin' => [	// 1.32+
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'bot' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'default' => [
			'MinimalPasswordLength' => [ 'value' => 8, 'suggestChangeOnLogin' => true ],	// 1.40+
			'PasswordCannotBeSubstringInUsername' => [	// 1.35+
				'value' => true,
				'suggestChangeOnLogin' => true
			],
			'PasswordCannotMatchDefaults' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.35+
			'MaximalPasswordLength' => [ 'value' => 4096, 'suggestChangeOnLogin' => true ],	// 1.33+
			'PasswordNotInCommonList' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.35+
		],
	],
	'checks' => [
		'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
		'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
		'PasswordCannotBeSubstringInUsername' =>
			'PasswordPolicyChecks::checkPasswordCannotBeSubstringInUsername',	// 1.35+
		'PasswordCannotMatchDefaults' => 'PasswordPolicyChecks::checkPasswordCannotMatchDefaults',	// 1.35+
		'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
		'PasswordNotInCommonList' => 'PasswordPolicyChecks::checkPasswordNotInCommonList',	// 1.35+
	],
];
<td class="mw-version-versionbox" title="<translate nowrap> The latest stable version is <tvar name=1>1.41</tvar></translate>">
<translate> ≥</translate> 1.37
<translate> MediaWiki version:</translate>
$wgPasswordPolicy = [
	'policies' => [
		'bureaucrat' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'sysop' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'interface-admin' => [	// 1.32+
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'bot' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'default' => [
			'MinimalPasswordLength' => [ 'value' => 1, 'suggestChangeOnLogin' => true ],	// 1.33+
			'PasswordCannotBeSubstringInUsername' => [	// 1.35+
				'value' => true,
				'suggestChangeOnLogin' => true
			],
			'PasswordCannotMatchDefaults' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.35+
			'MaximalPasswordLength' => [ 'value' => 4096, 'suggestChangeOnLogin' => true ],	// 1.33+
			'PasswordNotInCommonList' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.35+
		],
	],
	'checks' => [
		'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
		'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
		'PasswordCannotBeSubstringInUsername' =>
			'PasswordPolicyChecks::checkPasswordCannotBeSubstringInUsername',	// 1.35+
		'PasswordCannotMatchDefaults' => 'PasswordPolicyChecks::checkPasswordCannotMatchDefaults',	// 1.35+
		'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
		'PasswordNotInCommonList' => 'PasswordPolicyChecks::checkPasswordNotInCommonList',	// 1.35+
	],
];
<td class="mw-version-versionbox" title="<translate nowrap> The latest stable version is <tvar name=1>1.41</tvar></translate>">
<translate> ≥</translate> 1.36
<translate> MediaWiki version:</translate>
$wgPasswordPolicy = [
	'policies' => [
		'bureaucrat' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'sysop' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'interface-admin' => [	// 1.32+
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'bot' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'default' => [
			'MinimalPasswordLength' => [ 'value' => 1, 'suggestChangeOnLogin' => true ],	// 1.33+
			'PasswordCannotMatchUsername' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.33+
			'PasswordCannotBeSubstringInUsername' => [	// 1.35+
				'value' => true,
				'suggestChangeOnLogin' => true
			],
			'PasswordCannotMatchDefaults' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.35+
			'MaximalPasswordLength' => [ 'value' => 4096, 'suggestChangeOnLogin' => true ],	// 1.33+
			'PasswordNotInCommonList' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.35+
		],
	],
	'checks' => [
		'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
		'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
		'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
		'PasswordCannotBeSubstringInUsername' =>
			'PasswordPolicyChecks::checkPasswordCannotBeSubstringInUsername',	// 1.35+
		'PasswordCannotMatchDefaults' => 'PasswordPolicyChecks::checkPasswordCannotMatchDefaults',	// 1.35+
		'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
		'PasswordNotInCommonList' => 'PasswordPolicyChecks::checkPasswordNotInCommonList',	// 1.35+
	],
];
<td class="mw-version-versionbox" title="<translate nowrap> MediaWiki <tvar name=1>1.35</tvar> is unsupported version</translate>">
1.35
<translate> MediaWiki version:</translate>
$wgPasswordPolicy = [
	'policies' => [
		'bureaucrat' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'sysop' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'interface-admin' => [	// 1.32+
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'bot' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'default' => [
			'MinimalPasswordLength' => [ 'value' => 1, 'suggestChangeOnLogin' => true ],	// 1.33+
			'PasswordCannotMatchUsername' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.33+
			'PasswordCannotBeSubstringInUsername' => [	// 1.35+
				'value' => true,
				'suggestChangeOnLogin' => true
			],
			'PasswordCannotMatchDefaults' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.35+
			'MaximalPasswordLength' => [ 'value' => 4096, 'suggestChangeOnLogin' => true ],	// 1.33+
			'PasswordNotInCommonList' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.35+
		],
	],
	'checks' => [
		'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
		'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
		'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
		'PasswordCannotBeSubstringInUsername' =>
			'PasswordPolicyChecks::checkPasswordCannotBeSubstringInUsername',	// 1.35+
		'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchDefaults',	// 1.35
		'PasswordCannotMatchDefaults' => 'PasswordPolicyChecks::checkPasswordCannotMatchDefaults',	// 1.35+
		'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
		'PasswordNotInLargeBlacklist' => 'PasswordPolicyChecks::checkPasswordNotInCommonList',	// 1.35
		'PasswordNotInCommonList' => 'PasswordPolicyChecks::checkPasswordNotInCommonList',	// 1.35+
	],
];
<td class="mw-version-versionbox" title="<translate nowrap> MediaWiki <tvar name=1>1.34</tvar> is unsupported version</translate>">
1.34
<translate> MediaWiki version:</translate>
$wgPasswordPolicy = [
	'policies' => [
		'bureaucrat' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'sysop' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'interface-admin' => [	// 1.32+
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'bot' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
		],
		'default' => [
			'MinimalPasswordLength' => [ 'value' => 1, 'suggestChangeOnLogin' => true ],	// 1.33+
			'PasswordCannotMatchUsername' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.33+
			'PasswordCannotMatchBlacklist' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.33+
			'MaximalPasswordLength' => [ 'value' => 4096, 'suggestChangeOnLogin' => true ],	// 1.33+
			'PasswordNotInLargeBlacklist' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.34+
		],
	],
	'checks' => [
		'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
		'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
		'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
		'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchBlacklist',
		'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
		'PasswordCannotBePopular' => 'PasswordPolicyChecks::checkPopularPasswordBlacklist',	// 1.27+
		'PasswordNotInLargeBlacklist' => 'PasswordPolicyChecks::checkPasswordNotInLargeBlacklist',	// 1.33+
	],
];
<td class="mw-version-versionbox" title="<translate nowrap> MediaWiki <tvar name=1>1.33</tvar> is unsupported version</translate>">
1.33
<translate> MediaWiki version:</translate>
$wgPasswordPolicy = [
	'policies' => [
		'bureaucrat' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordNotInLargeBlacklist' => true,	// 1.33
		],
		'sysop' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordNotInLargeBlacklist' => true,	// 1.33
		],
		'interface-admin' => [	// 1.32+
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordNotInLargeBlacklist' => true,	// 1.33
		],
		'bot' => [
			'MinimalPasswordLength' => 10,	// 1.33+
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordNotInLargeBlacklist' => true,	// 1.33
		],
		'default' => [
			'MinimalPasswordLength' => [ 'value' => 1, 'suggestChangeOnLogin' => true ],	// 1.33+
			'PasswordCannotMatchUsername' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.33+
			'PasswordCannotMatchBlacklist' => [ 'value' => true, 'suggestChangeOnLogin' => true ],	// 1.33+
			'MaximalPasswordLength' => [ 'value' => 4096, 'suggestChangeOnLogin' => true ],	// 1.33+
		],
	],
	'checks' => [
		'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
		'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
		'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
		'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchBlacklist',
		'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
		'PasswordCannotBePopular' => 'PasswordPolicyChecks::checkPopularPasswordBlacklist',	// 1.27+
		'PasswordNotInLargeBlacklist' => 'PasswordPolicyChecks::checkPasswordNotInLargeBlacklist',	// 1.33+
	],
];
<td class="mw-version-versionbox" title="<translate nowrap> MediaWiki <tvar name=1>1.32</tvar> is unsupported version</translate>">
1.32
<translate> MediaWiki version:</translate>
$wgPasswordPolicy = [
	'policies' => [
		'bureaucrat' => [
			'MinimalPasswordLength' => 8,
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordCannotMatchUsername' => true,
			'PasswordCannotBePopular' => 25,	// 1.27+
		],
		'sysop' => [
			'MinimalPasswordLength' => 8,
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordCannotMatchUsername' => true,
			'PasswordCannotBePopular' => 25,	// 1.27+
		],
		'interface-admin' => [	// 1.32+
			'MinimalPasswordLength' => 8,
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordCannotMatchUsername' => true,
			'PasswordCannotBePopular' => 25,
		],
		'bot' => [
			'MinimalPasswordLength' => 8,
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordCannotMatchUsername' => true,
		],
		'default' => [
			'MinimalPasswordLength' => 1,
			'PasswordCannotMatchUsername' => true,
			'PasswordCannotMatchBlacklist' => true,
			'MaximalPasswordLength' => 4096,
		],
	],
	'checks' => [
		'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
		'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
		'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
		'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchBlacklist',
		'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
		'PasswordCannotBePopular' => 'PasswordPolicyChecks::checkPopularPasswordBlacklist'	// 1.27+
	],
];
<td class="mw-version-versionbox" title="<translate nowrap> MediaWiki <tvar name=1>1.31</tvar> is unsupported version</translate>">
1.27 – 1.31
<translate> MediaWiki versions:</translate>
$wgPasswordPolicy = [
	'policies' => [
		'bureaucrat' => [
			'MinimalPasswordLength' => 8,
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordCannotMatchUsername' => true,
			'PasswordCannotBePopular' => 25,	// 1.27+
		],
		'sysop' => [
			'MinimalPasswordLength' => 8,
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordCannotMatchUsername' => true,
			'PasswordCannotBePopular' => 25,	// 1.27+
		],
		'bot' => [
			'MinimalPasswordLength' => 8,
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordCannotMatchUsername' => true,
		],
		'default' => [
			'MinimalPasswordLength' => 1,
			'PasswordCannotMatchUsername' => true,
			'PasswordCannotMatchBlacklist' => true,
			'MaximalPasswordLength' => 4096,
		],
	],
	'checks' => [
		'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
		'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
		'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
		'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchBlacklist',
		'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
		'PasswordCannotBePopular' => 'PasswordPolicyChecks::checkPopularPasswordBlacklist'	// 1.27+
	],
];
<td class="mw-version-versionbox" title="<translate nowrap> MediaWiki <tvar name=1>1.26</tvar> is unsupported version</translate>">
1.26
MediaWiki version:
$wgPasswordPolicy = array(
	'policies' => array(
		'bureaucrat' => array(
			'MinimalPasswordLength' => 8,
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordCannotMatchUsername' => true,
		),
		'sysop' => array(
			'MinimalPasswordLength' => 8,
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordCannotMatchUsername' => true,
		),
		'bot' => array(
			'MinimalPasswordLength' => 8,
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordCannotMatchUsername' => true,
		),
		'default' => array(
			'MinimalPasswordLength' => 1,
			'PasswordCannotMatchUsername' => true,
			'PasswordCannotMatchBlacklist' => true,
			'MaximalPasswordLength' => 4096,
		),
	),
	'checks' => array(
		'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
		'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
		'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
		'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchBlacklist',
		'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
	),
);


See also