r75588 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r75587‎ | r75588 | r75589 >
Date:22:26, 27 October 2010
Author:platonides
Status:reverted (Comments)
Tags:
Comment:
Add feature to block common (weak) passwords.
This closes the hole of passwords hardcoded in r72475,r74213. Also see r75589.
Modified paths:
  • /trunk/phase3/includes/DefaultSettings.php (modified) (history)
  • /trunk/phase3/includes/User.php (modified) (history)
  • /trunk/phase3/languages/messages/MessagesEn.php (modified) (history)
  • /trunk/phase3/maintenance/language/messages.inc (modified) (history)

Diff [purge]

Index: trunk/phase3/maintenance/language/messages.inc
@@ -430,6 +430,7 @@
431431 'wrongpasswordempty',
432432 'passwordtooshort',
433433 'password-name-match',
 434+ 'password-too-weak',
434435 'mailmypassword',
435436 'passwordremindertitle',
436437 'passwordremindertext',
Index: trunk/phase3/includes/User.php
@@ -601,18 +601,22 @@
602602 * @return mixed: true on success, string of error message on failure
603603 */
604604 function getPasswordValidity( $password ) {
605 - global $wgMinimalPasswordLength, $wgContLang;
 605+ global $wgMinimalPasswordLength, $wgWeakPasswords, $wgContLang;
606606
607607 $result = false; //init $result to false for the internal checks
608608
609609 if( !wfRunHooks( 'isValidPassword', array( $password, &$result, $this ) ) )
610610 return $result;
611611
 612+ $lcPassword = $wgContLang->lc( $password );
 613+
612614 if ( $result === false ) {
613615 if( strlen( $password ) < $wgMinimalPasswordLength ) {
614616 return 'passwordtooshort';
615 - } elseif ( $wgContLang->lc( $password ) == $wgContLang->lc( $this->mName ) ) {
 617+ } elseif ( $lcPassword == $wgContLang->lc( $this->mName ) ) {
616618 return 'password-name-match';
 619+ } elseif ( in_array( $lcPassword, $wgWeakPasswords ) ) {
 620+ return 'password-too-weak';
617621 } else {
618622 //it seems weird returning true here, but this is because of the
619623 //initialization of $result to false above. If the hook is never run or it
Index: trunk/phase3/includes/DefaultSettings.php
@@ -2771,6 +2771,12 @@
27722772 $wgLivePasswordStrengthChecks = false;
27732773
27742774 /**
 2775+ * List of weak passwords which shouldn't be allowed.
 2776+ * The items should be in lowercase. The check is case insensitive.
 2777+ */
 2778+$wgWeakPasswords = array( 'password', 'passpass', 'passpass1' );
 2779+
 2780+/**
27752781 * Maximum number of Unicode characters in signature
27762782 */
27772783 $wgMaxSigChars = 255;
Index: trunk/phase3/languages/messages/MessagesEn.php
@@ -1085,6 +1085,7 @@
10861086 Please try again.',
10871087 'passwordtooshort' => 'Passwords must be at least {{PLURAL:$1|1 character|$1 characters}}.',
10881088 'password-name-match' => 'Your password must be different from your username.',
 1089+'password-too-weak' => 'The provided password is too weak and cannot be used.',
10891090 'mailmypassword' => 'E-mail new password',
10901091 'passwordremindertitle' => 'New temporary password for {{SITENAME}}',
10911092 'passwordremindertext' => 'Someone (probably you, from IP address $1) requested a new

Follow-up revisions

RevisionCommit summaryAuthorDate
r75589Do NOT use hardcoded passwords! Not even if the user agreed to run destructiv...platonides22:27, 27 October 2010
r79034Revert r75588 and r77381. Block just the tainted pairs of username/passwords ...platonides22:55, 26 December 2010

Past revisions this follows-up on

RevisionCommit summaryAuthorDate
r72475Follow-up r70137: Made asynchronous upload working a bit more. It now fully w...btongminh10:18, 6 September 2010
r74213Revert r74122, making r74117 live again...reedy15:24, 3 October 2010

Comments

#Comment by Simetrical (talk | contribs)   17:16, 28 October 2010

If I'm reading the code correctly, this will prevent existing users with these passwords from logging in or changing them. This is a Bad Thing. Users with existing weak passwords should be required to change them.

I also don't believe we actually want to block even the most common passwords on wikis where anyone can create an account. Users shouldn't be forced to remember a complicated password to make an account. Password restrictions should only be on sysops – if anyone else's account gets compromised, it hurts only them, and it's up to them to trade off their own convenience against their own security.

#Comment by Platonides (talk | contribs)   20:57, 28 October 2010

You are right. They should reset their password by email.

That's not my favourite approach, but fitted quite nicely for closing the hole of r75589. What do you propose for cleanly fixing that?

#Comment by Simetrical (talk | contribs)   22:24, 28 October 2010

Run a query that will delete those users. Or else hardcode a check for those exact username/password combinations.

It's not acceptable to just say users should reset their password by e-mail, because lots of users haven't set an e-mail address or their address doesn't work anymore. There should be no mandatory password strength checks at all for regular users on wikis where anyone can create an account.

#Comment by Platonides (talk | contribs)   22:45, 28 October 2010

I disagree on that point. But this should have been much more flexible.

I don't know what I'll come up with.

#Comment by Happy-melon (talk | contribs)   23:12, 14 December 2010

I also disagree that mandatory strength checks are axiomatically Bad. But users should be allowed to log in once with existing weak passwords, but then be required to change them a-la the email reset mechanism; while being prevented from creating or changing to such passwords.

#Comment by Simetrical (talk | contribs)   15:53, 15 December 2010

I don't think mandatory strength checks are bad. They're a very good idea for all sorts of sites. But they shouldn't be enabled for ordinary users in MediaWiki by default, or on public Wikimedia sites.

Status & tagging log