http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9885 Bug ID: 9885 Summary: Passwords generated by command line scripts are weak Classification: Unclassified Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Command-line Utilities Assignee: gmcharlt@gmail.com Reporter: peterAtKohaBugzilla@pck.co.nz The command line scripts koha-reset-passwd and koha-create in debian/scripts generate fairly weak passwords. Staff passwords are generated as an eight-character "readable" pwgen password, as is the mysql password. The Zebra password is generated as a 12 character readable password. The eight character passwords are fairly vulnerable - see the discussion at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=276976 or the somewhat more dry discussion at http://ix.cs.uoregon.edu/~butler/pubs/password.pdf Do these passwords really need to be THAT friendly? I would suggest: - changing the zebra password and mysql passwords to 16 character "secure" passwords, ie generated with pwgen -s 16 1 - changing the patron password to a 12 character not-secure password. I'm happy to write the patch for these two files if there is consensus that it should be actioned. I have checked gitk and while I read the current debian koha-common version of the scripts (package 3.11-1~git+20130321124944.90dfa923), this does not appear to have changed in the master version. -- You are receiving this mail because: You are watching all bug changes.