Talk:Password policy

From Meta, a Wikimedia project coordination wiki
Jump to navigation Jump to search

Password Blacklist library[edit]

In this article there is a mention of 100,000 blacklisted passwords as listed by Password Blacklist library. Can we know which are they? --Tiven2240 (talk) 09:30, 7 December 2018 (UTC)Reply[reply]

+1 Gråbergs Gråa Sång (talk) 09:35, 7 December 2018 (UTC)Reply[reply]
I think it's possible to find easily just by googling, I found this (there is a long text file, so your computer can slow down, if you open the text file there). Stryn (talk) 09:53, 7 December 2018 (UTC)Reply[reply]
And the link to the raw text of the 100,000 list (which is faster to access and more convenient) for anyone wanting to see the list is 10_million_password_list_top_100000. That list, or something like it, will probably be copied to a WMF server to what will be called the Password Blacklist library, and that will probably be a public file like the source code for MediaWiki. Johnuniq (talk) 01:01, 8 December 2018 (UTC)Reply[reply]
Thank you Johnuniq for the clarification. If others are curious, the list is based upon the list from the Weakpass project. CKoerner (WMF) (talk) 15:38, 10 December 2018 (UTC)Reply[reply]

Is there a maximum password length?[edit]

is a long, let's say a 200 character long lowercase latin letters password allowed or is it too long? I tried to change my password to a really long password all in lowercase and it didn't seem to work. I have experience with applications that generate a 'secure password' using twelve different words. I used twelve different words for this password, when I was finished I think I went up to a 95 characters long password. It didn't go through though, so I switched it to a 64 character long password with lowercase letters, capital letters, numbers and special characters. Datariumrex (talk) 12:20, 30 June 2020 (UTC)Reply[reply]

Hey @Datariumrex:, The default setting for Mediawiki shows that that MaximalPasswordLength is set to "4096". Longer password lengths are not recommended as they can allow for denial of service attacks (see task T64685). CKoerner (WMF) (talk) 15:15, 30 June 2020 (UTC)Reply[reply]