⚓ T241845 Create new password policy to check if a password is a substring of a username
Create new password policy to check if a password is a substring of a username
Closed, ResolvedPublicSecurity
Create new password policy to check if a password is a substring of a username
Closed, ResolvedPublicSecurity
- Author Affiliation
- WMF Technology Dept
Event Timeline
sbassett renamed this task from Create new password policy to detect if a password is a substring of a username to Create new password policy to check if a password is a substring of a username.Jan 3 2020, 6:11 PM
MarcoAurelio changed the subtype of this task from "Task" to "Security Issue".Jan 5 2020, 7:03 PM
Talked to @Reedy - we were thinking this could probably go through gerrit, especially if we got a patch up today and merged before the train this week. I'm not certain a security patch makes sense here, since there's a potential slippery-slope argument around PasswordPolicyChecks.php where no new check should ever be publicly added. Which, unless it's to mitigate a more serious, ongoing attack, seems like overkill IMO.
sbassett closed this task as Resolved.EditedJan 14 2020, 4:56 PM
Patch merged. Should ride this week's train. Will file follow-up task suggesting removal of checkPasswordCannotMatchUsername.
sbassett changed Author Affiliation from N/A to WMF Technology Dept.Sep 7 2021, 2:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits