Set (non empty) default password Hot

by David Berner on October 02, 2015

Currently, when you create a new user in SBM, by default it will set en empty password. This is a security concern when using fallback authentication via internal passwords. IT would be great to be able to set a default password, or an option to block login via an empty passsword

  • Having empty passwords by defaults  can be a huge security risk. Unfortunately there seems to be currently no way to set a default password for new users.

    Alternatively being able to block a login via empty passwords would be a good option as well, since it is not easy to determine on an existing database which users do have empty passwords or not.

    What we did as a workaround is the following:

    1. reset the passwords in the DB for all users to a non-empty value (by carefully conserving credentials of known internal users
    2. create new users solely by a copy of existing template users, who have non zero passwords.
    3. repeat this process regularly in case users have been created anyway from scratch, inserting empty passwords into the system

    Ideas

    Tags
  • Please login to view any attachments.

  • After review, we've determined that the system can generate temporary passwords upon a NewUser create.

    "Decide if temporary passwords should be generated for active users that are imported or updated. This option is useful in the event that the e-mail that contains the user's initial temporary password is sent to the wrong e-mail address or if it is no longer available. Note the following: 

    If your system will not use LDAP authentication after the import is finished, this option helps ensure that users are not created with empty passwords. 

    When this option is selected, an e-mail is automatically sent to each user with the newly-generated temporary password. 

    If new users have not changed their temporary passwords yet, and you are updating users, this option regenerates the temporary passwords for those users as well. The users will still be required to change the password upon initial log in. 

    This option is selected by default. "

    While not enabling a default password, this does address the original concern about having an empty password. I'm going to mark this as "Already offered" as we do have the option to block login via an empty password.
    David J. Easter Commented by David J. Easter January 29, 2018
    #1 Reviewer  -  

    After review, we've determined that the system can generate temporary passwords upon a NewUser create.

    "Decide if temporary passwords should be generated for active users that are imported or updated. This option is useful in the event that the e-mail that contains the user's initial temporary password is sent to the wrong e-mail address or if it is no longer available. Note the following: 

    If your system will not use LDAP authentication after the import is finished, this option helps ensure that users are not created with empty passwords. 

    When this option is selected, an e-mail is automatically sent to each user with the newly-generated temporary password. 

    If new users have not changed their temporary passwords yet, and you are updating users, this option regenerates the temporary passwords for those users as well. The users will still be required to change the password upon initial log in. 

    This option is selected by default. "

    While not enabling a default password, this does address the original concern about having an empty password. I'm going to mark this as "Already offered" as we do have the option to block login via an empty password.

    This idea has been put under consideration for the 2HCY'17 release.
    David J. Easter Commented by David J. Easter July 11, 2016
    #1 Reviewer  -  

    This idea has been put under consideration for the 2HCY'17 release.

     

PrintEmail

Recent Tweets