[Koha-bugs] [Bug 21314] Koha enforces three (3) character password length even if RequireStrongPassword is disabled

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21314

Christopher Brannon <cbrannon at cdalibrary.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |cbrannon at cdalibrary.org

--- Comment #16 from Christopher Brannon <cbrannon at cdalibrary.org> ---
(In reply to Marcel de Rooy from comment #10)
> +    if ( C4::Context->preference('RequireStrongPassword') ) {
> +        $minPasswordLength = 3 if $minPasswordLength < 3;
> +    }
> 
> How strong is that? LOL
> Imo we should enforce at least 8 chars or so, and educate users that
> security has a price.

Our library practices similar methods, and we've run into this issue as well. 
I've never liked software that tells users how to enforce their security.  The
options should be there, and how secure or insecure they choose to run it
should be up to them.  However, there are bugs, like
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33462 that focus on
improving things in another way, which would give us more flexibility and
options.

It just feels like libraries are being forced to bend to the will of
programmers based on personal opinions.  There are a lot of minimum values that
could be forced on libraries and their patrons, but that should be the choice
of the library, not the program.

Imo, our default passwords SHOULD be stronger.  But I don't get to make that
decision, so why should a developer?

-- 
You are receiving this mail because:
You are watching all bug changes.