https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25934
Katrin Fischer <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=21314 Summary|RequireStrongPassword |[OMNIBUS] Passwords should |should be more complex |be more complex / password |(password policy |policy complexity |complexity) | Depends on| |32553, 33042 --- Comment #9 from Katrin Fischer <[email protected]> --- It feels like we should revisit this one. I think David made a lot of good suggestions, but maybe we should implement some of them as separate features: > 1. A minimum length of 10 characters that can't be lowered via > minPasswordLength I think that would be an 'enhancement' of minPasswordLength. Maybe 8 would be more agreeable as a start (at the moment it's 3). But see also: bug 21314 that had an issue with 3 already. > 2. Should contain 3 of the following 4 sets (lowercase, uppercase, numbers, > special characters) I think this could be a new second option to RequireStrongPassword if we restructured the code a bit to make it not boolean but have several password policies people can "update" to. I've filed: Bug 33042 - Enforce 4 character groups (lowercase, uppercase, numbers and special characters) in passwords > 3. Not be the same as a previously set password We have a separate bug for this already: Bug 32553 - Don't allow to use the same password as before when a password expires/is reset > 4. Should not include dictionary words or common passwords (This could be challenging to do comprehensively on low spec systems, although one variation of this could be to add a customizable list of passwords to exclude.) We could file a new report for this. I a not sure if there are existing multi-language dictionaries we could use here, but Koha being international might add some additional difficulty? 5. Should not be equal to the username That one could be a new pref..., but I feel like we should just "do it". Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32553 [Bug 32553] Don't allow to use the same password as before when a password expires/is reset https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33042 [Bug 33042] Enforce 4 character groups (lowercase, uppercase, numbers and special characters) in passwords -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
