Closed Bug 672150 Opened 13 years ago Closed 9 years ago

set password_complexity to letters_numbers

Categories

(bugzilla.mozilla.org :: General, defect)

Product:
bugzilla.mozilla.org
Component:
General
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: glob, Unassigned)

Details

currently password_complexity on bmo is set to no_constraints.

i don't see any reason why this shouldn't be set to letters_numbers ("Passwords must contain at least one UPPER and one lower case letter and a number").
Does this affect current passwords or only new passwords?
OS: Windows 7 → All
Hardware: x86 → All
(In reply to comment #1)
> Does this affect current passwords or only new passwords?

new passwords only.  as we hash passwords there's no way it could be applied to existing passwords.
(In reply to comment #2)
> (In reply to comment #1)
> > Does this affect current passwords or only new passwords?
> 
> new passwords only.  as we hash passwords there's no way it could be applied
> to existing passwords.

Sure it could. You could check password complexity against actual plaintext passwords before they are hashed for comparison. If the plaintext passwords fails the requirement, you could force the user to change his/her password.
  This increases the barrier for bug filers, and as such I would oppose it.

  One way to make it not increase the barrier for bug filers would be to somehow limit this restriction only to certain accounts that actually have some sort of permissions.
The feature was added as part of the 4.0 upgrade but left off til further notice as we were unsure of how people would feel about it. I am all for getting feedback from a broad selection of BMO users to see if it would cause any hardship. 

I am not sure how limiting to accounts with permissions would work as brand new accounts do not yet have permissions set so the password would always be the least complex initially. Then if we then go in and increase the user's permissions past the threshold requiring heightened complexity, what happens if they never need to relogin and then reenter their current password? Say if they always use the same system and/or their cookies never expires.

Here is a case where password expiration would actually be helpful in that after 30, 60, 90 days, whatever, when a user has to choose a new password, then they have to enter a new one that matches the complexity setting based on their permissions level.

There is always the brute force scenario where you set the complexity for a specific permissions level and then force everyone with those permissions to relogin at the next access. Something similar to removing entries from the logincookies table for those users. That may cause some problems though.

dkl
(In reply to comment #5)
> Then if we then go in and increase the user's
> permissions past the threshold requiring heightened complexity, what happens
> if they never need to relogin and then reenter their current password?

  I would do a force-logout on them in that case. (This is not too hard.)
this happened ages ago.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.