[Koha-bugs] [Bug 25934] RequireStrongPassword should be more complex (password policy complexity)

Wed Jul 8 18:44:59 CEST 2020

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25934

Fred King <fred.king at medstar.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fred.king at medstar.net

--- Comment #6 from Fred King <fred.king at medstar.net> ---
While I agree that your password criteria would be useful for many Koha
institutions, they would not be for all of them. My Koha system used to be
behind my institution's firewall, and we didn't need such strict security. I
had to move it to a cloud server so all our staff could access it while they
worked from home, but I think that for us, your proposed changes would be far
too strict.

#1: That's a lot of characters to remember. I work in a hospital where medical
staff have access to extremely confidential information. Our minimum is eight
characters. Even then, I usually end up writing mine down (in transliterated
Cyrillic, so I think I'm minimizing the danger).

#2: See https://xkcd.com/936/. I think he has a good point.

#3: This one I agree with. I'd also recommend a minimum number of days before
you can change it again, if you're considering letting people reuse passwords
after x number of changes. ("Time to change my password, and I can't use my
past three passwords. Well, I'll change it to cat, then owl, then cow, and then
back to dog.")

#4: Also challenging to low-spec systems that use more than one language. I'd
really, really urge you to make this one optional.

#5: Well, it's really useful on an in-house test system, but OK.

I'm all in favor of protection, and I know full well that any online system can
be attacked from anywhere. I'd just like the option to choose how many bars to
put on the windows.

-- 
You are receiving this mail because:
You are watching all bug changes.