Improve password handling/user security
Virtual Research Environment / On-line Bibliography Manager
Brought to you by:
sirfragalot
Menu
▾
▴
#66 Improve password handling/user security
A good password need two things:
1) Being strong. This tool explain how to compute a strong password: https://www.ssi.gouv.fr/administration/precautions-elementaires/calculer-la-force-dun-mot-de-passe/
The greater the diversity of the alphabet, the shorter the password can be. But in my opinion using special characters and forcing capitals makes passwords difficult to remember in practice. If we eliminate the requirement for capital letters and special characters, only the length remains to compensate. In this case it is 16, at least, which cannot be memorized either.
2) Unique for each login/website/software. MUST be always for a single usable, otherwise hacking one access leads to easy hacking of accesses that have the same password. Here again an explosion in the number of passwords which becomes impossible to remember.
All this because the cracking of accesses is done by machines which surpass human possibilities. It is therefore necessary to increase the complexity to surpass what the machine can do.
There are two very distinct cases depending on the installation context.
1) Installation in a company / university or any other environment controlled by a team of system administrator.
It is the administrator's responsibility to configure HTTPS and connect Wikindx to their authentication server using LDAP / SAML or other centralization protocols. We have to provide the means to do this as for LDAP.
2) Installation in an uncontrolled environment.
In this case, either we cannot rely on the competence of the administrator and the availability of resources.
There are only two ways to compensate:
1) Delegate authentication to an external service with the OpenId protocol (or another), hoping that this will be done well. I don't know if any open source communities offer this service. For example we can set up our own online service with lemonldapng for Wikindx users (https://framalibre.org/content/lemonldapng). Development tool websites often allow authentication via a third party such as GitHub.
2) As a last resort, you need your own authentication system and in this case a compromise in the way of issuing the password is always necessary for lack of physical encounter.
This does not take away from the need for a strong and unique password.
Reading:
See https://linuxfr.org/news/sortie-de-lemonldap-ng-2-0
https://lemonldap-ng.org/documentation/2.0/renater
https://www.renater.fr/