[Koha-bugs] [Bug 9885] New: Passwords generated by command line scripts are weak

Thu Mar 21 10:21:34 CET 2013

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9885

            Bug ID: 9885
           Summary: Passwords generated by command line scripts are weak
    Classification: Unclassified
 Change sponsored?: ---
           Product: Koha
           Version: master
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5 - low
         Component: Command-line Utilities
          Assignee: gmcharlt at gmail.com
          Reporter: peterAtKohaBugzilla at pck.co.nz

The command line scripts koha-reset-passwd and koha-create in debian/scripts
generate fairly weak passwords.

Staff passwords are generated as an eight-character "readable" pwgen password,
as is the mysql password.  The Zebra password is generated as a 12 character
readable password.

The eight character passwords are fairly vulnerable - see the discussion at
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=276976 or the somewhat more
dry discussion at http://ix.cs.uoregon.edu/~butler/pubs/password.pdf 

Do these passwords really need to be THAT friendly?

I would suggest:
- changing the zebra password and mysql passwords to 16 character "secure"
passwords, ie generated with pwgen -s 16 1
- changing the patron password to a 12 character not-secure password.

I'm happy to write the patch for these two files if there is consensus that it
should be actioned.

I have checked gitk and while I read the current debian koha-common version of
the scripts (package 3.11-1~git+20130321124944.90dfa923), this does not appear
to have changed in the master version.

-- 
You are receiving this mail because:
You are watching all bug changes.