[Koha-bugs] [Bug 25934] [OMNIBUS] Passwords should be more complex / password policy complexity
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Feb 22 18:00:13 CET 2023
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25934
Katrin Fischer <katrin.fischer at bsz-bw.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://bugs.koha-community
| |.org/bugzilla3/show_bug.cgi
| |?id=21314
Summary|RequireStrongPassword |[OMNIBUS] Passwords should
|should be more complex |be more complex / password
|(password policy |policy complexity
|complexity) |
Depends on| |32553, 33042
--- Comment #9 from Katrin Fischer <katrin.fischer at bsz-bw.de> ---
It feels like we should revisit this one.
I think David made a lot of good suggestions, but maybe we should implement
some of them as separate features:
> 1. A minimum length of 10 characters that can't be lowered via minPasswordLength
I think that would be an 'enhancement' of minPasswordLength. Maybe 8 would be
more agreeable as a start (at the moment it's 3). But see also: bug 21314 that
had an issue with 3 already.
> 2. Should contain 3 of the following 4 sets (lowercase, uppercase, numbers, special characters)
I think this could be a new second option to RequireStrongPassword if we
restructured the code a bit to make it not boolean but have several password
policies people can "update" to.
I've filed:
Bug 33042 - Enforce 4 character groups (lowercase, uppercase, numbers and
special characters) in passwords
> 3. Not be the same as a previously set password
We have a separate bug for this already:
Bug 32553 - Don't allow to use the same password as before when a password
expires/is reset
> 4. Should not include dictionary words or common passwords
(This could be challenging to do comprehensively on low spec systems, although
one variation of this could be to add a customizable list of passwords to
exclude.)
We could file a new report for this. I a not sure if there are existing
multi-language dictionaries we could use here, but Koha being international
might add some additional difficulty?
5. Should not be equal to the username
That one could be a new pref..., but I feel like we should just "do it".
Referenced Bugs:
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32553
[Bug 32553] Don't allow to use the same password as before when a password
expires/is reset
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33042
[Bug 33042] Enforce 4 character groups (lowercase, uppercase, numbers and
special characters) in passwords
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list