Talk:Password policy

This page is for discussions related to the Password policy page. Please remember to: Sign posts using the four tildes (~~~~) Remain civil and polite during discussions. Place new text under old text (start a new post).

In this article there is a mention of 100,000 blacklisted passwords as listed by Password Blacklist library. Can we know which are they? --Tiven2240 (talk) 09:30, 7 December 2018 (UTC)[reply]

+1 Gråbergs Gråa Sång (talk) 09:35, 7 December 2018 (UTC)[reply]

I think it's possible to find easily just by googling, I found this (there is a long text file, so your computer can slow down, if you open the text file there). Stryn (talk) 09:53, 7 December 2018 (UTC)[reply]

And the link to the raw text of the 100,000 list (which is faster to access and more convenient) for anyone wanting to see the list is 10_million_password_list_top_100000. That list, or something like it, will probably be copied to a WMF server to what will be called the Password Blacklist library, and that will probably be a public file like the source code for MediaWiki. Johnuniq (talk) 01:01, 8 December 2018 (UTC)[reply]

Thank you Johnuniq for the clarification. If others are curious, the list is based upon the list from the Weakpass project. CKoerner (WMF) (talk) 15:38, 10 December 2018 (UTC)[reply]

is a long, let's say a 200 character long lowercase latin letters password allowed or is it too long? I tried to change my password to a really long password all in lowercase and it didn't seem to work. I have experience with applications that generate a 'secure password' using twelve different words. I used twelve different words for this password, when I was finished I think I went up to a 95 characters long password. It didn't go through though, so I switched it to a 64 character long password with lowercase letters, capital letters, numbers and special characters. Datariumrex (talk) 12:20, 30 June 2020 (UTC)[reply]

Hey @Datariumrex:, The default setting for Mediawiki shows that that MaximalPasswordLength is set to "4096". Longer password lengths are not recommended as they can allow for denial of service attacks (see task T64685). CKoerner (WMF) (talk) 15:15, 30 June 2020 (UTC)[reply]

if someone forgot their password but they're still logged in on their computer. 50.46.167.164 02:46, 7 February 2024 (UTC)[reply]

This feature is not possible due to the implementation of MediaWiki's password storage. MediaWiki never stores a plain text version of your password. Instead a cryptographic hash of your password is stored and login attempts are checked by performing the equivalent cryptographic hash of the plain text password provided to the login form and comparing the resulting hash value with the hash value stored in the database. -- BDavis (WMF) (talk) 18:27, 7 February 2024 (UTC)[reply]

This hashing is so that if the database is ever breached, the attackers cannot steal the passwords – these cryptograpic hashes are one-way, i.e. it’s practically impossible to determine the password based on the hash. (It’s theoretically possible, but unless you use a weak password, it likely takes thousands or millions of years using today’s fastest computers.)

Also, what if you forgot to log out on a public computer? Right now, all an attacker can do is doing edits until your session expires (or you invalidate it by logging out somewhere – when you log out on one device, you’re logged out on all devices). If they could view your password, they could change it and use your account however long they want, locking you out of it. This is why not only cannot you view your existing password, but you can’t change your password or email address without entering your current password either. (In contrast to viewing the existing password, it would be technically possible to change your password or email address without entering your current password, it’s just not allowed for security reasons.) —Tacsipacsi (talk) 21:10, 7 February 2024 (UTC)[reply]