[Koha-bugs] [Bug 12617] Koha should let admins to configure automatically generated password complexity/difficulty
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Sep 30 02:20:04 CEST 2020
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=12617
--- Comment #18 from David Cook <dcook at prosentient.com.au> ---
(In reply to Fridolin SOMERS from comment #16)
> > However Javascript doesn't seem to support POSIX
> Ah ok good point.
>
> But why are öäåÄÖÅ not in :
> if ( password_policy == 'complex' ){
> chars =
> '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ|[]{}!
> @#$%^&*()_-+?';
>
> In my opinion, for a heavy international software like Koha you may stick to
> [a-zA-Z] as the only alphabetic characters.
>
> Or create lang-based policies complex-en, complex-fi ...
Based on my earlier comment, especially regarding Red Hat's Keycloak password
policies, I think that limiting to
'0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ|[]{}!@#$%^&*()_-+?'
might not be wise for a "complex" policy.
Look at pam_cracklib too which is used by massive international Linux providers
(https://linux.die.net/man/8/pam_cracklib and
https://github.com/linux-pam/linux-pam/blob/master/modules/pam_cracklib/pam_cracklib.c).
There complexity is determined by "minlen, maxclassrepeat, dcredit, ucredit,
lcredit, and ocredit".
Looking at
https://github.com/linux-pam/linux-pam/blob/master/modules/pam_cracklib/pam_cracklib.c,
it looks like the ctype library includes functions for isupper, islower,
isdigit, etc. "ocredit" for "other characters" is just whatever isn't a digit,
uppercase letter, or lowercase letter. The Javascript would be more verbose,
but it should be doable using a similar algorithm.
Chinese is probably still an issue if your password policy has uppercase and
lowercase requirements, but that's probably why there are so many Chinese ASCII
passwords as per my previous post, but Latin characters with diacritics should
be fine using this kind of complexity.
But... that's just my 2 cents. I'm not the one writing this patch. I also
haven't extensively tested it, so maybe I'm missing the current point of the
conversaton.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list