Bug 32

Summary: Can create unusable passwords shorter than six chars for bugzilla
Product: Websites Reporter: Luzemário Dantas <luzemario>
Component: identity.mageia.orgAssignee: Buchan Milne <bgmilne>
Status: RESOLVED FIXED QA Contact:
Severity: minor    
Priority: Low CC: atelier-bugs, bgmilne, misc
Version: trunk   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Source RPM: CVE:
Status comment:

Description Luzemário Dantas 2011-02-15 17:36:15 CET 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 (.NET CLR 3.5.30729)
Build Identifier: 

Description of problem:

If you create a password shorter than six chars in Mageia Identity System you cannot login to bugzilla.

Please block passwords shorter than six chars in Mageia Identity System.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.Create an account in Mageia Identity System
2.Choose a password shorten than six characters (i.e. I choose five letters)
3.You cannot login to bugzilla.


Reproducible: 

Steps to Reproduce:
Luzemário Dantas 2011-02-15 17:50:28 CET

Summary: Mageia identity system not in sync with bugzilla => Can create unusable passwords shorter than six chars for bugzilla

Luzemário Dantas 2011-02-15 17:50:57 CET

Priority: Normal => Low

Comment 1 Michael Scherer 2011-02-15 17:58:03 CET 
So bugzilla has a built in limit to the password it accept ?

I would rather try to see if this limit is hardcoded in bugzilla and change it. Since identity is gonna be used by forums ( and so by non technical people ), I am not sure that forcing to have a strong password is gonna please everybody ( even if I would be in favor of something stronger than 6 letter, ie 8 + specific char and so on ).

CC: (none) => misc

Comment 2 Luzemário Dantas 2011-02-15 18:44:47 CET 
(In reply to comment #1)
> So bugzilla has a built in limit to the password it accept ?
> 
> I would rather try to see if this limit is hardcoded in bugzilla and change it.
> Since identity is gonna be used by forums ( and so by non technical people ), I
> am not sure that forcing to have a strong password is gonna please everybody (
> even if I would be in favor of something stronger than 6 letter, ie 8 +
> specific char and so on ).

Michael,

Yes, bugzilla limits passwords to at least six chars. I suggested enforcing six minimum chars because I do not know the level of difficulty to change it in bugzilla.

Either solution can solve this bug. For me makes little difference, but I agree it can be annoying for novice users.
Comment 3 Frédéric "LpSolit" Buclin 2011-02-16 00:27:30 CET 
The limit is hardcoded, yes. I honestly don't think it's a good idea to lower this limit, unless you don't care about security. 6 is really not "strong" and people who complain that it's too much just don't understand security implications behind it.
Comment 4 D Morgan 2011-02-16 02:07:11 CET 
i agree and i don't want to change bugzilla to allow smaller passwords. I think that this should be identity that need to be changed.

It's for the good of the user after all :)
Comment 5 Michael Scherer 2011-02-16 08:47:32 CET 
Good, so I note that you volunteer to handle user complaint about password too complex and people who forget it. Let's reassign this to catdap.

Component: Bugzilla => identity.mageia.org
Version: unspecified => trunk
Product: Infrastructure => Websites

Comment 6 Buchan Milne 2011-02-16 13:38:10 CET 
Fixed, by adjusting password policy on LDAP side. CatDap already supports ppolicy for password changes (but, not yet for reporting lock out, or expired password).

For reference:

dn: cn=default,ou=Password Policies,dc=mageia,dc=org
add: pwdMinLength
pwdMinLength: 6
-
add: pwdCheckQuality
pwdCheckQuality: 2


We may want to collect any password restrictions on applications which enforce them on login, to document the password policy.

Status: NEW => RESOLVED
CC: (none) => bgmilne
Resolution: (none) => FIXED
Assignee: dmorganec => bgmilne