[Koha-bugs] [Bug 18298] Enforce password complexity
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Mar 21 14:15:46 CET 2017
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298
--- Comment #20 from Jonathan Druart <jonathan.druart at bugs.koha-community.org> ---
(In reply to Marcel de Rooy from comment #19)
> In order to call a password "strong", we should definitely not allow a
> password length less than 8 characters (not to talk about 12-14). And we
> should enforce a special character too. (Enforcing uc,lc,digits is
> definitely an improvement btw!)
> When you enable RequireStrongPassword, you should just raise
> minPasswordLength. You cannot enable it and have strong passwords of 3
> chars. Impossible!
I am in discussion with the sponsor about the special character. In any cases
that will be dealt on another bug report.
> I saw several constructs like:
> my $minpw = C4::Context->preference('minPasswordLength');
> $minpw = 3 if not $minpw or $minpw < 3;
> We could call a function in C4/Auth to get the password length and not check
> the pref everywhere. And increase 3 of course.
See the whole patch set, this is fixed in the last patch.
> "To avoid the password to be sent plain text it is certainly better to
> generate it client-side."
> And then send it back to the server plain text?
> Or should we just say: use https and we trust that transmission?
Yes indeed, it is still passing plain text unless using https.
> "Now that we have a check client-side, nothing prevents us from a smart guy
> to
> bypass it and force an invalid password."
> And this is an issue. How do you want to resolve that one?
Hum? I added server-side checks everywhere.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list