Wikipedia:Password strength requirements

From Wikipedia, the free encyclopedia

Background

Although Wikipedia:User account security has contained standard advice for password strength for some time, the English-language Wikipedia did not have password requirements for any user group for its first fourteen years. In late 2015, there was a security breaching incident involving users with advanced permissions that led to a security review. That review resulted in password requirements for some users with advanced permissions, and advised changes to global policy and auditing and enforcement by the Wikimedia Foundation.

Application

While all users are strongly advised to maintain a strong password, the policy requirements are only binding on the following user groups:

Additionally, the community recommended that global policy require the steward and founder user groups follow these same requirements. Jimbo Wales, as sole member of the "founder" user group, voluntarily agreed to comply with these requirements.

A password strength meter is to be added to the signup/change password screen in order to assist users in determining if their password is considered strong.

Requirements

Privileged users must meet these requirements:

  • Passwords must be at least 8 bytes in length. (in English this usually corresponds to 8 characters)
  • Passwords should not be on the list of the 10,000 most common passwords.

In addition, there are very limited requirements that apply to all users:

  • Passwords must not be blank.
  • Passwords must not be on the list of the 100 most common passwords.
  • Passwords must not be "wiki", "mediawiki", or the name of the wiki the password is being set on.

Enforcement and auditing

A password strength bar (yet to be implemented) will help these users determine if they are meeting these requirements. Regular auditing of administrator and functionary passwords is to be done by the Foundation, through a process and at intervals as yet to be determined.

Users with advanced permissions who are found to be out of compliance with these requirements may have their permissions revoked until they have made adequate assurances that they have rectified the issue. Users who repeatedly fail to maintain a strong password may have their permissions permanently revoked by the Arbitration Committee.

So that's it, my account is secure?

No, not really. A strong password and password security are just one part of securing your account. Users with advanced permissions, and indeed all users, should be taking steps above and beyond these requirements to insure the security of their accounts. Two-factor authentication is now available to administrators and will hopefully be rolled out to all users in the near future. Simply logging out when you are done for the day if you are using a device that there is even a possibility another person will have access to is another basic security measure. Avoid "recycling", your Wikipedia password should be unique and not used to log in anywhere else. A committed identity can help you prove you are the legitimate account holder and assist you in regaining control of your account if it is breached. More information is available at WP:SECURITY.


Retrieved from "https://en.wikipedia.org/w/index.php?title=Wikipedia:Password_strength_requirements&oldid=817236035"
This content was retrieved from Wikipedia : http://en.wikipedia.org/wiki/Wikipedia:Password_strength_requirements
This page is based on the copyrighted Wikipedia article "Wikipedia:Password strength requirements"; it is used under the Creative Commons Attribution-ShareAlike 3.0 Unported License (CC-BY-SA). You may redistribute it, verbatim or modified, providing that you comply with the terms of the CC-BY-SA