Improve documentation for the MinimumPasswordLengthToLogin policy

Bug: T233119
Change-Id: I2d0fa6f7116b407cbf62ad93da73d0800c9d14f9

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 0fb0173..fd4c7af 100644 (file)
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -4472,7 +4472,8 @@ $wgCentralIdLookupProvider = 'local';
  * Statements:
  *     - MinimalPasswordLength - minimum length a user can set
  *     - MinimumPasswordLengthToLogin - passwords shorter than this will
- *             not be allowed to login, regardless if it is correct.
+ *             not be allowed to login, or offered a chance to reset their password
+ *             as part of the login workflow, regardless if it is correct.
  *     - MaximalPasswordLength - maximum length password a user is allowed
  *             to attempt. Prevents DoS attacks with pbkdf2.
  *     - PasswordCannotMatchUsername - Password cannot match username to

diff --git a/includes/password/PasswordPolicyChecks.php b/includes/password/PasswordPolicyChecks.php
index 502f1e0..cec82c7 100644 (file)
--- a/includes/password/PasswordPolicyChecks.php
+++ b/includes/password/PasswordPolicyChecks.php
@@ -44,7 +44,9 @@ class PasswordPolicyChecks {
        }
 
        /**
-        * Check password is longer than minimum, fatal
+        * Check password is longer than minimum, fatal.
+        * Intended for locking out users with passwords too short to trust, requiring them
+        * to recover their account by some other means.
         * @param int $policyVal minimal length
         * @param User $user
         * @param string $password