[Bug 36602] New: Locked account requires a password change
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36602 Bug ID: 36602 Summary: Locked account requires a password change Change sponsored?: --- Product: Koha Version: 23.05 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Patrons Assignee: koha-bugs@lists.koha-community.org Reporter: cbrannon@cdalibrary.org QA Contact: testopia@bugs.koha-community.org CC: gmcharlt@gmail.com, kyle.m.hall@gmail.com It doesn't make sense that a password change is required for a locked account. Accounts are locked because someone has attempted to log into the account multiple times and has failed the threshold. This means that someone knows the account username, but doesn't know the password. If the threshold is not a low number, it is likely someone is trying to gain access to the account that should (especially if they don't use a forgot password method. It seems that the more logical approach is to require a card number and/or username change. I guess it is possible that it could be the patron/user and they are just really bad at password recovery, and persistent, but I'm still not convinced this is the most logical response to being locked out. A change in username would be more likely to thwart abusive users. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36602 --- Comment #1 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- A change of username is not always an option. Often an email address will serve as username and cannot/should not be changed. Cardnumbers might be printed on student cards and cannot easily be changed as well. The password change, as it's not linked to a physical thing (like a card) is I think the easiest and most standard option. I know that other apps like booking.com make me do it as well when I lock myself out. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36602 --- Comment #2 from Christopher Brannon <cbrannon@cdalibrary.org> --- Again, I'm not sure what exactly the end goal here is. My initial thought is that this is a feature to stop someone from trying to hack an account. Is that the point? Because, as is, it seems more like a feature to get you to stop trying to figure out your password and just get it reset. I guess, sure, if there is a bot constantly trying to hack the account, it is going to keep trying that account number and rotate through password iterations until it is stopped. But if you unlock the account, even with a new password, wouldn't it just keep trying again? So, it would seem we are just trying to make the user give up and contact the library. One thought about this is, if the account has an email address, instead of having the user go through the library to change the password, just lock the account and email a password reset to the email account. The only argument I could see against that is if someone had access to a patron's email account and forced Koha to send a reset. But if they have access to the email account, they could always use the forgot email option. In both cases they would already have all the pieces they would need to get into the account. So, it seems reasonable that sending a reset to the patron email account automatically would be acceptable. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org