https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298 --- Comment #19 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- In order to call a password "strong", we should definitely not allow a password length less than 8 characters (not to talk about 12-14). And we should enforce a special character too. (Enforcing uc,lc,digits is definitely an improvement btw!) When you enable RequireStrongPassword, you should just raise minPasswordLength. You cannot enable it and have strong passwords of 3 chars. Impossible! Also: The default for minPasswordLength should really be 8. If people want to make it three characters after install, which they should not do, we could argue that this is their own responsibility. Or we could just not allow it. I saw several constructs like: my $minpw = C4::Context->preference('minPasswordLength'); $minpw = 3 if not $minpw or $minpw < 3; We could call a function in C4/Auth to get the password length and not check the pref everywhere. And increase 3 of course. "To avoid the password to be sent plain text it is certainly better to generate it client-side." And then send it back to the server plain text? Or should we just say: use https and we trust that transmission? "Now that we have a check client-side, nothing prevents us from a smart guy to bypass it and force an invalid password." And this is an issue. How do you want to resolve that one? -- You are receiving this mail because: You are watching all bug changes.