Password policy

From Meta, a Wikimedia project coordination wiki

Overview

Passwords are an important aspect of computer security. A poorly chosen password may result in unauthorised access to your account. This can have a cascading effect which could jeopardize the security and privacy of other contributors. A strong password not only protects the individual, but the projects and the movement as a whole.

Purpose

The purpose of this policy is to establish and document password requirements for users of Wikimedia wikis.

Scope

The scope of this policy includes anyone who has registered an account on a Wikimedia wiki.

Policy

Password requirements are defined for both regular users and privileged users. These requirements may be changed or expanded in the future to further enhance security.

  1. Password requirements for regular users:
    1. Must be at least 8 characters
    2. Must not be in the list of 100,000 most popular used passwords (as defined by the CommonPasswords library)
    3. Must not be the same as the username
  2. Password requirements for privileged users:
    1. Must be at least 10 characters
    2. Must not be in the list of 100,000 most popular used passwords (as defined by the CommonPasswords library)
    3. Must not be the same as the username

Compliance

The security team will conduct activities including, but not limited to: auditing accounts, dictionary attacks against user passwords, and user surveys.

Password changes may be required for all users by the Wikimedia Security Team in case of a security incident.

Exceptions

For exceptions to this policy contact security@wikimedia.org

Related policies and documentation

Definitions

fishbowl – A fishbowl wiki is a wiki which everyone can read, but only some people (with accounts) may edit.

normal user – A user account on a wiki not a member of any group that is considered privileged.

private – A private wiki is a wiki where read and write access is restricted to people who have accounts.

privileged user – A privileged user is one who is in a group such as (but not limited to): Global and local Administrators (sysop), Bureaucrat, Oversight, Check User, Founder, Global Interface Editors, Bots, Ombuds, Staff, Stewards, Central Notice Administrators, and System Administrators. Other groups identified by the Security Team at the Wikimedia Foundation may be considered “privileged” but not listed above. All users on private and fishbowl wikis are considered privileged.