[Koha-bugs] [Bug 12617] Koha should let admins to configure automatically generated password complexity/difficulty

Wed Sep 30 01:58:34 CEST 2020

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=12617

--- Comment #17 from David Cook <dcook at prosentient.com.au> ---
(In reply to Fridolin SOMERS from comment #16)
> > However Javascript doesn't seem to support POSIX
> Ah ok good point.
> 
> But why are öäåÄÖÅ not in :
>   if ( password_policy == 'complex' ){
>     chars =
> '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ|[]{}!
> @#$%^&*()_-+?';
> 
> In my opinion, for a heavy international software like Koha you may stick to
> [a-zA-Z] as the only alphabetic characters.
> 
> Or create lang-based policies complex-en, complex-fi ...

I think the default with password managers tend to be printable ASCII
characters (ie: Upper-case, Lower-case, Digits, Special). That said, I have
seen "High ANSI characters" as an option...

But then I thought about Chinese password habits
(https://medium.com/@ye.sunnia/an-analysis-of-chinese-passwords-e49b97b91919 or
https://www.theverge.com/tldr/2019/3/5/18252150/bad-password-security-data-breach-taiwan-ji32k7au4a83-have-i-been-pwned),
which seem to fall into ASCII. 

I just spun up a Keycloak container (an Identity Provider created by Red Hat),
and I'm trying to reset my password (as a user) to a Chinese password in
Windows Chrome, but it seems to be preventing my software-based pinyin input
from working. It seems to be forcing my hardware keyboard. (Like if I type in
"wo", I see 2 masked characters appearing in the password field, rather than
being able to select the 1 我 character.)

That said, as a Keycloak admin, I was able to input a 我 character into the
user's password field. I wasn't able to manually enter it as a user, but if I
copied and pasted 我 into the password field as a user, it worked. 

Going back to the user view, I notice when I move from the username field to
the password field, my software keyboard changes modes from Chinese mode to
English mode. If manually change the mode... it doesn't seem to make a
difference. 

Here's some reading on Keycloak password policies:
https://www.keycloak.org/docs/latest/server_admin/#password-policy-types, which
might be useful.

-- 
You are receiving this mail because:
You are watching all bug changes.