The password length is whatever $wgMinimalPasswordLength is set to, and according to DefaultSettings.php it's 1 :P. Maybe we should increase the length of passwords from User::randomPassword.
- Security: Because the temporary password is being entered by the user it
ends up being much shorter than it should be. The temporary passwords have really low entropy and if we expired them any later than we do now it would theoretically be possible to brute force a password reset. Frankly right now if someone was persistent enough to brute force randomly and make a second reset after the first expires they may actually have a sane enough chance at brute forcing into an account.
Ah I see, so in the end it's pretty much about brute force attacks. Well what we can do (in order to avoid schema changes), is keep the newpassword field, increase temporary password lengths to something like 64, and then shift the Special:ResetPassword and User::mailPasswordInternal logic to use URLs instead of entering the password manually.
The other thing though that can be done with tokens that can't be done with passwords (at least without violating user expectations) is making the token expire. Having the randomly generated token/password expire after a day or so greatly reduces the amount of time available for an attack.
Thank you, Derric Atzrott