From 558a809144560198c7febac4998f49c56c45c844 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Tue, 14 Mar 2017 20:01:27 -0300 Subject: [PATCH] Bug 18298: Enforce password complexity MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit This patchset prevents users to enter too leak password, controlled by a new syspref RequireStrongPassword. If set the staff and patrons will have to enter a strong password. The strongness cannot be modified, it has been arbitrarily set (by the author of this enhancement) to at least 1 lowercase, 1 uppercase and 1 digit. This can be inforce by increasing the value of the existing minPasswordLength pref. I decided to turn this feature on, it cannot hurt! For existing installs it will have to be turned on manually. Writing these patches I found a lot of inconsistencies all around the password checks and decided to refactor everything to make things consistent and more robust. Now the password validity is check at only one place (subroutine covered by tests). Test plan: We have several places where a password can be change/created: a. Editing a patron (members/memberentry.pl) b. Changing the password of a patron (members/member-password.pl) c. Changing your own password at the opac (opac/opac-passwd.pl). OpacPasswordChange needs to be set d. Reseting your own password at the opac (opac/opac-password-recovery.pl). OpacResetPassword needs to be set, see "Forgot your password?" link when you are not logged in e. Self registration feature, PatronSelfRegistration needs to be set. You will also need to add 'password' to PatronSelfRegistrationBorrowerMandatoryField. Note that '****' is considered by Koha internally that the password is not changed (existing behavior). To fully test this patch you will need to test the different combinations of RequireStrongPassword and minPasswordLength. Signed-off-by: Marc Véron Signed-off-by: Tomas Cohen Arazi Signed-off-by: Jonathan Druart --- installer/data/mysql/atomicupdate/bug_13664.sql | 2 ++ installer/data/mysql/sysprefs.sql | 1 + .../prog/en/modules/admin/preferences/patrons.pref | 7 +++++++ 3 files changed, 10 insertions(+) create mode 100644 installer/data/mysql/atomicupdate/bug_13664.sql diff --git a/installer/data/mysql/atomicupdate/bug_13664.sql b/installer/data/mysql/atomicupdate/bug_13664.sql new file mode 100644 index 0000000000..79893365f7 --- /dev/null +++ b/installer/data/mysql/atomicupdate/bug_13664.sql @@ -0,0 +1,2 @@ +INSERT IGNORE INTO systempreferences (`variable`, `value`, `options`, `explanation`, `type`) +VALUES ('RequireStrongPassword','0','','Require a strong login password for staff and patrons','YesNo'); diff --git a/installer/data/mysql/sysprefs.sql b/installer/data/mysql/sysprefs.sql index 47288874f6..1cb1ae10c0 100644 --- a/installer/data/mysql/sysprefs.sql +++ b/installer/data/mysql/sysprefs.sql @@ -450,6 +450,7 @@ INSERT INTO systempreferences ( `variable`, `value`, `options`, `explanation`, ` ('ReplyToDefault','',NULL,'Use this email address as the replyto in emails','Free'), ('ReportsLog','0',NULL,'If ON, log information about reports.','YesNo'), ('RequestOnOpac','1',NULL,'If ON, globally enables patron holds on OPAC','YesNo'), +('RequireStrongPassword','1','','Require a strong login password for staff and patrons','YesNo'), ('ReservesControlBranch','PatronLibrary','ItemHomeLibrary|PatronLibrary','Branch checked for members reservations rights','Choice'), ('ReservesMaxPickUpDelay','7','','Define the Maximum delay to pick up an item on hold','Integer'), ('ReservesNeedReturns','1','','If ON, a hold placed on an item available in this library must be checked-in, otherwise, a hold on a specific item, that is in the library & available is considered available','YesNo'), diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/patrons.pref b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/patrons.pref index 3a95ba71aa..f52cd2eaaf 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/patrons.pref +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/patrons.pref @@ -89,6 +89,13 @@ Patrons: - pref: minPasswordLength class: integer - characters long. + - + - pref: RequireStrongPassword + choices: + yes: "Require" + no: "Don't require" + - a strong password for staff and patrons + - (Must contain at least one digit, one lowercase and one uppercase). - - Show a notice if the patron is about to expire or has expired - pref: NotifyBorrowerDeparture -- 2.39.5