[Koha-bugs] [Bug 9885] New: Passwords generated by command line scripts are weak
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Mar 21 10:21:34 CET 2013
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9885
Bug ID: 9885
Summary: Passwords generated by command line scripts are weak
Classification: Unclassified
Change sponsored?: ---
Product: Koha
Version: master
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5 - low
Component: Command-line Utilities
Assignee: gmcharlt at gmail.com
Reporter: peterAtKohaBugzilla at pck.co.nz
The command line scripts koha-reset-passwd and koha-create in debian/scripts
generate fairly weak passwords.
Staff passwords are generated as an eight-character "readable" pwgen password,
as is the mysql password. The Zebra password is generated as a 12 character
readable password.
The eight character passwords are fairly vulnerable - see the discussion at
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=276976 or the somewhat more
dry discussion at http://ix.cs.uoregon.edu/~butler/pubs/password.pdf
Do these passwords really need to be THAT friendly?
I would suggest:
- changing the zebra password and mysql passwords to 16 character "secure"
passwords, ie generated with pwgen -s 16 1
- changing the patron password to a 12 character not-secure password.
I'm happy to write the patch for these two files if there is consensus that it
should be actioned.
I have checked gitk and while I read the current debian koha-common version of
the scripts (package 3.11-1~git+20130321124944.90dfa923), this does not appear
to have changed in the master version.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list