From a5ea73070652d807afb780a5bd9c6614b5e5a872 Mon Sep 17 00:00:00 2001 From: Thalia Date: Tue, 17 Sep 2019 20:16:05 +0100 Subject: [PATCH] Improve documentation for the MinimumPasswordLengthToLogin policy Bug: T233119 Change-Id: I2d0fa6f7116b407cbf62ad93da73d0800c9d14f9 --- includes/DefaultSettings.php | 3 ++- includes/password/PasswordPolicyChecks.php | 4 +++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 0fb0173199..fd4c7af6a3 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -4472,7 +4472,8 @@ $wgCentralIdLookupProvider = 'local'; * Statements: * - MinimalPasswordLength - minimum length a user can set * - MinimumPasswordLengthToLogin - passwords shorter than this will - * not be allowed to login, regardless if it is correct. + * not be allowed to login, or offered a chance to reset their password + * as part of the login workflow, regardless if it is correct. * - MaximalPasswordLength - maximum length password a user is allowed * to attempt. Prevents DoS attacks with pbkdf2. * - PasswordCannotMatchUsername - Password cannot match username to diff --git a/includes/password/PasswordPolicyChecks.php b/includes/password/PasswordPolicyChecks.php index 502f1e024c..cec82c7fbc 100644 --- a/includes/password/PasswordPolicyChecks.php +++ b/includes/password/PasswordPolicyChecks.php @@ -44,7 +44,9 @@ class PasswordPolicyChecks { } /** - * Check password is longer than minimum, fatal + * Check password is longer than minimum, fatal. + * Intended for locking out users with passwords too short to trust, requiring them + * to recover their account by some other means. * @param int $policyVal minimal length * @param User $user * @param string $password -- 2.20.1