[Koha-bugs] [Bug 18298] Enforce password complexity

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298

--- Comment #20 from Jonathan Druart <jonathan.druart at bugs.koha-community.org> ---
(In reply to Marcel de Rooy from comment #19)
> In order to call a password "strong", we should definitely not allow a
> password length less than 8 characters (not to talk about 12-14). And we
> should enforce a special character too. (Enforcing uc,lc,digits is
> definitely an improvement btw!)
> When you enable RequireStrongPassword, you should just raise
> minPasswordLength. You cannot enable it and have strong passwords of 3
> chars. Impossible!

I am in discussion with the sponsor about the special character. In any cases
that will be dealt on another bug report.

> I saw several constructs like:
> my $minpw = C4::Context->preference('minPasswordLength');
> $minpw = 3 if not $minpw or $minpw < 3;
> We could call a function in C4/Auth to get the password length and not check
> the pref everywhere. And increase 3 of course.

See the whole patch set, this is fixed in the last patch.

> "To avoid the password to be sent plain text it is certainly better to
> generate it client-side."
> And then send it back to the server plain text?
> Or should we just say: use https and we trust that transmission?

Yes indeed, it is still passing plain text unless using https.

> "Now that we have a check client-side, nothing prevents us from a smart guy
> to
> bypass it and force an invalid password."
> And this is an issue. How do you want to resolve that one?

Hum? I added server-side checks everywhere.

-- 
You are receiving this mail because:
You are watching all bug changes.