The password length is whatever
$wgMinimalPasswordLength is set to, and
according to DefaultSettings.php it's 1 :P. Maybe we should increase the
length of passwords from User::randomPassword.
- Security: Because the temporary password is
being entered by the user it
ends up being much shorter than it should be. The temporary passwords have
really low entropy and if we expired them any later than we do now it would
theoretically be possible to brute force a password reset. Frankly right
now if someone was persistent enough to brute force randomly and make a
second reset after the first expires they may actually have a sane enough
chance at brute forcing into an account.
Ah I see, so in the end it's pretty much about brute force attacks. Well
what we can do (in order to avoid schema changes), is keep the newpassword
field, increase temporary password lengths to something like 64, and then
shift the Special:ResetPassword and User::mailPasswordInternal logic to use
URLs instead of entering the password manually.
The other thing though that can be done with tokens that can't be done with
passwords (at least without violating user expectations) is making the token
expire. Having the randomly generated token/password expire after a day or so
greatly reduces the amount of time available for an attack.
Thank you,
Derric Atzrott