https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298 --- Comment #20 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- (In reply to Marcel de Rooy from comment #19)
In order to call a password "strong", we should definitely not allow a password length less than 8 characters (not to talk about 12-14). And we should enforce a special character too. (Enforcing uc,lc,digits is definitely an improvement btw!) When you enable RequireStrongPassword, you should just raise minPasswordLength. You cannot enable it and have strong passwords of 3 chars. Impossible!
I am in discussion with the sponsor about the special character. In any cases that will be dealt on another bug report.
I saw several constructs like: my $minpw = C4::Context->preference('minPasswordLength'); $minpw = 3 if not $minpw or $minpw < 3; We could call a function in C4/Auth to get the password length and not check the pref everywhere. And increase 3 of course.
See the whole patch set, this is fixed in the last patch.
"To avoid the password to be sent plain text it is certainly better to generate it client-side." And then send it back to the server plain text? Or should we just say: use https and we trust that transmission?
Yes indeed, it is still passing plain text unless using https.
"Now that we have a check client-side, nothing prevents us from a smart guy to bypass it and force an invalid password." And this is an issue. How do you want to resolve that one?
Hum? I added server-side checks everywhere. -- You are receiving this mail because: You are watching all bug changes.