Re: [SOGo] Weak passwords

Tue, 12 May 2020 08:33:53 -0700

W dniu 12.05.2020 o 13:58, Christian Mack ([email protected]) pisze: 
Am 12.05.20 um 05:39 schrieb Jose David Bravo A
([email protected]):

I'm using sogo 4.3 but my users are able to set passwords very weak passwords, 
like 123. Is there any way to restrict the creation of such weak passwords? I'm 
using mysql as a database.


With LDAP/AD authentication you can set password constraints in your
authentication source and tell SOGo to obey them with
passwordPolicy = YES;

With authentication per database there is no such thing.
Databases don't restrict password fields in any way.

You could open an enhancement request at https://sogo.nu/bugs for this.
Or you could disable changing passwords in SOGo and provide another way
to do so (e.g. a self service webpage).



You can also do a little patch to the javascript code of SOGo 
webinterface. I did it for SOGO v2.3, but it should be easy to

adapt it to the never version. I put my patch in attachement.

                                   Boguslaw Juza

--
[email protected]
https://inverse.ca/sogo/lists
diff -Naur SOGo-2.3.23.orig/UI/WebServerResources/UIxPreferences.js SOGo-2.3.23.new/UI/WebServerResources/UIxPreferences.js
--- SOGo-2.3.23.orig/UI/WebServerResources/UIxPreferences.js	2017-10-18 17:22:40.000000000 +0200
+++ SOGo-2.3.23.new/UI/WebServerResources/UIxPreferences.js	2018-02-18 13:22:42.000000000 +0100
@@ -1439,7 +1439,19 @@
     if (field && confirmationField) {
         var password = field.value;
         if (password == confirmationField.value) {
-            if (password.length > 0) {
+            if (password.length < 8) {
+                SetLogMessage("passwordError", _("Hasło musi mieć co najmniej 8 znaków."), "error");
+            }
+            else if (password.search(/[a-zA-Z]/)<0) {
+                SetLogMessage("passwordError", _("Hasło musi zawierać literę."), "error");
+            }
+            else if (password.search(/[0-9]/)<0) {
+                SetLogMessage("passwordError", _("Hasło musi zawierać cyfrę."), "error");
+            }
+            else if (password.search(/[^a-zA-Z0-9]/)<0) {
+                SetLogMessage("passwordError", _("Hasło musi zawierać znak specjalny."), "error");
+            }
+            else if (password.length > 0) {
                 var loginValues = readLoginCookie();
                 var policy = new PasswordPolicy(loginValues[0],
                                                 loginValues[1]);






















					Reply via email to