From ca7869174fb8243658b5fc589d4db89393420467 Mon Sep 17 00:00:00 2001 From: Thalia Date: Tue, 17 Sep 2019 20:16:05 +0100 Subject: [PATCH] Improve documentation for the MinimumPasswordLengthToLogin policy Bug: T233119 Change-Id: I2d0fa6f7116b407cbf62ad93da73d0800c9d14f9 --- includes/DefaultSettings.php | 3 ++- includes/password/PasswordPolicyChecks.php | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index c3a37f33e2..fd1affce3d 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -4445,7 +4445,8 @@ $wgCentralIdLookupProvider = 'local'; * The checks supported by core are: * - MinimalPasswordLength - Minimum length a user can set. * - MinimumPasswordLengthToLogin - Passwords shorter than this will - * not be allowed to login, regardless if it is correct. + * not be allowed to login, or offered a chance to reset their password + * as part of the login workflow, regardless if it is correct. * - MaximalPasswordLength - maximum length password a user is allowed * to attempt. Prevents DoS attacks with pbkdf2. * - PasswordCannotMatchUsername - Password cannot match the username. diff --git a/includes/password/PasswordPolicyChecks.php b/includes/password/PasswordPolicyChecks.php index 8eecbcc2e2..1475c2053c 100644 --- a/includes/password/PasswordPolicyChecks.php +++ b/includes/password/PasswordPolicyChecks.php @@ -54,6 +54,8 @@ class PasswordPolicyChecks { /** * Check password is longer than minimum, fatal. + * Intended for locking out users with passwords too short to trust, requiring them + * to recover their account by some other means. * @param int $policyVal minimal length * @param User $user * @param string $password -- 2.20.1