User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 (.NET CLR 3.5.30729) Build Identifier: Description of problem: If you create a password shorter than six chars in Mageia Identity System you cannot login to bugzilla. Please block passwords shorter than six chars in Mageia Identity System. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1.Create an account in Mageia Identity System 2.Choose a password shorten than six characters (i.e. I choose five letters) 3.You cannot login to bugzilla. Reproducible: Steps to Reproduce:
Summary: Mageia identity system not in sync with bugzilla => Can create unusable passwords shorter than six chars for bugzilla
Priority: Normal => Low
So bugzilla has a built in limit to the password it accept ? I would rather try to see if this limit is hardcoded in bugzilla and change it. Since identity is gonna be used by forums ( and so by non technical people ), I am not sure that forcing to have a strong password is gonna please everybody ( even if I would be in favor of something stronger than 6 letter, ie 8 + specific char and so on ).
CC: (none) => misc
(In reply to comment #1) > So bugzilla has a built in limit to the password it accept ? > > I would rather try to see if this limit is hardcoded in bugzilla and change it. > Since identity is gonna be used by forums ( and so by non technical people ), I > am not sure that forcing to have a strong password is gonna please everybody ( > even if I would be in favor of something stronger than 6 letter, ie 8 + > specific char and so on ). Michael, Yes, bugzilla limits passwords to at least six chars. I suggested enforcing six minimum chars because I do not know the level of difficulty to change it in bugzilla. Either solution can solve this bug. For me makes little difference, but I agree it can be annoying for novice users.
The limit is hardcoded, yes. I honestly don't think it's a good idea to lower this limit, unless you don't care about security. 6 is really not "strong" and people who complain that it's too much just don't understand security implications behind it.
i agree and i don't want to change bugzilla to allow smaller passwords. I think that this should be identity that need to be changed. It's for the good of the user after all :)
Good, so I note that you volunteer to handle user complaint about password too complex and people who forget it. Let's reassign this to catdap.
Component: Bugzilla => identity.mageia.orgVersion: unspecified => trunkProduct: Infrastructure => Websites
Fixed, by adjusting password policy on LDAP side. CatDap already supports ppolicy for password changes (but, not yet for reporting lock out, or expired password). For reference: dn: cn=default,ou=Password Policies,dc=mageia,dc=org add: pwdMinLength pwdMinLength: 6 - add: pwdCheckQuality pwdCheckQuality: 2 We may want to collect any password restrictions on applications which enforce them on login, to document the password policy.
Status: NEW => RESOLVEDCC: (none) => bgmilneResolution: (none) => FIXEDAssignee: dmorganec => bgmilne