[Koha-bugs] [Bug 18298] Enforce password complexity
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Mar 21 13:58:34 CET 2017
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298
--- Comment #19 from Marcel de Rooy <m.de.rooy at rijksmuseum.nl> ---
In order to call a password "strong", we should definitely not allow a password
length less than 8 characters (not to talk about 12-14). And we should enforce
a special character too. (Enforcing uc,lc,digits is definitely an improvement
btw!)
When you enable RequireStrongPassword, you should just raise minPasswordLength.
You cannot enable it and have strong passwords of 3 chars. Impossible!
Also: The default for minPasswordLength should really be 8. If people want to
make it three characters after install, which they should not do, we could
argue that this is their own responsibility. Or we could just not allow it.
I saw several constructs like:
my $minpw = C4::Context->preference('minPasswordLength');
$minpw = 3 if not $minpw or $minpw < 3;
We could call a function in C4/Auth to get the password length and not check
the pref everywhere. And increase 3 of course.
"To avoid the password to be sent plain text it is certainly better to
generate it client-side."
And then send it back to the server plain text?
Or should we just say: use https and we trust that transmission?
"Now that we have a check client-side, nothing prevents us from a smart guy to
bypass it and force an invalid password."
And this is an issue. How do you want to resolve that one?
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list