[Koha-bugs] [Bug 25934] RequireStrongPassword should be more complex (password policy complexity)

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25934

--- Comment #7 from David Cook <dcook at prosentient.com.au> ---
(In reply to Fred King from comment #6)
> While I agree that your password criteria would be useful for many Koha
> institutions, they would not be for all of them. My Koha system used to be
> behind my institution's firewall, and we didn't need such strict security. I
> had to move it to a cloud server so all our staff could access it while they
> worked from home, but I think that for us, your proposed changes would be
> far too strict.
> 

Nothing would change for existing installs - only new ones. New installs could
turn off the enhanced security.

> #1: That's a lot of characters to remember. I work in a hospital where
> medical staff have access to extremely confidential information. Our minimum
> is eight characters. Even then, I usually end up writing mine down (in
> transliterated Cyrillic, so I think I'm minimizing the danger).
> 

Encrypted password managers can be good for this. Although if a person doesn't
have a dedicated workstation (like in a clinic), this can admittedly be
problematic, but that really points to a problem with hospital computer
security practices. 

But this problem can also be ameliorated by the use of Single Sign On to reduce
the number of different passwords, and to make it easier to update passwords. 

> #2: See https://xkcd.com/936/. I think he has a good point.

There's been lots of online debate about this, but a person could do worse.

> #3: This one I agree with. I'd also recommend a minimum number of days
> before you can change it again, if you're considering letting people reuse
> passwords after x number of changes. ("Time to change my password, and I
> can't use my past three passwords. Well, I'll change it to cat, then owl,
> then cow, and then back to dog.")
> 

Yeah, in practice I find people often just increment a number at the end of the
password to try to workaround this requirement. Users have shown me all kinds
of very similar systems that they thought were unique/difficult to crack. 

> #4: Also challenging to low-spec systems that use more than one language.
> I'd really, really urge you to make this one optional.

Yeah, this one is really a "nice to have" rather than a must have. Even in a
default situation, I wouldn't enable this because there are too many variables.

> #5: Well, it's really useful on an in-house test system, but OK.

That makes me think about all those airplanes that have the same usernames and
passwords from when they were on the in-house test system though.

> I'm all in favor of protection, and I know full well that any online system
> can be attacked from anywhere. I'd just like the option to choose how many
> bars to put on the windows.

It's true. Koha is all about choice. I'll keep that in mind once I start on
this work. It's great getting all these different perspectives.

-- 
You are receiving this mail because:
You are watching all bug changes.