[Koha-bugs] [Bug 25934] [OMNIBUS] Passwords should be more complex / password policy complexity

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Wed Feb 22 18:00:13 CET 2023 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25934

Katrin Fischer <katrin.fischer at bsz-bw.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://bugs.koha-community
                   |                            |.org/bugzilla3/show_bug.cgi
                   |                            |?id=21314
            Summary|RequireStrongPassword       |[OMNIBUS] Passwords should
                   |should be more complex      |be more complex / password
                   |(password policy            |policy complexity
                   |complexity)                 |
         Depends on|                            |32553, 33042

--- Comment #9 from Katrin Fischer <katrin.fischer at bsz-bw.de> ---
It feels like we should revisit this one.

I think David made a lot of good suggestions, but maybe we should implement
some of them as separate features:

> 1. A minimum length of 10 characters that can't be lowered via minPasswordLength

I think that would be an 'enhancement' of minPasswordLength. Maybe 8 would be
more agreeable as a start (at the moment it's 3). But see also: bug 21314 that
had an issue with 3 already.

> 2. Should contain 3 of the following 4 sets (lowercase, uppercase, numbers, special characters)

I think this could be a new second option to RequireStrongPassword if we
restructured the code a bit to make it not boolean but have several password
policies people can "update" to.

I've filed: 
Bug 33042 - Enforce 4 character groups (lowercase, uppercase, numbers and
special characters) in passwords

> 3. Not be the same as a previously set password

We have a separate bug for this already:
Bug 32553 - Don't allow to use the same password as before when a password
expires/is reset

> 4. Should not include dictionary words or common passwords
(This could be challenging to do comprehensively on low spec systems, although
one variation of this could be to add a customizable list of passwords to
exclude.)

We could file a new report for this. I a not sure if there are existing
multi-language dictionaries we could use here, but Koha being international
might add some additional difficulty?

5. Should not be equal to the username

That one could be a new pref..., but I feel like we should just "do it".


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32553
[Bug 32553] Don't allow to use the same password as before when a password
expires/is reset
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33042
[Bug 33042] Enforce 4 character groups (lowercase, uppercase, numbers and
special characters) in passwords
-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.

More information about the Koha-bugs mailing list