Project

General

Profile

Bug #2264

New user password change doesn't actually require a password change.

Added by Greg Gauthier about 4 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
27.07.2015
Due date:
% Done:

0%

Estimated time:
Sorting:
Commit Number:
Affected Version:

Description

When creating a new user, if you select "password change" checkbox to force a password change on the first login, the user will be prompted appropriately, but he doesn't actually have to supply a different password. It can be the exact same password he first logged on with.

In fact, if you go to @_admin/my_account/password@ after logging in, and execute a change of password, you can put the same password in all three fields, and it will be successful. Its as though we're not doing any checking at all.

Some thoughts I have:

  1. If we're going to include a "force change" for new users, it should actually force a change, and not allow me to simply use the same password over again.

  2. For password changes on a logged in user:
    a. If we don't care that it's the same password, then we should simply offer a field for the new password, because the old one doesn't really matter.
    b. If we DO care that it's the same, then we should be checking, just like on new user logins.

What do you guys think?

History

#1 Updated by Johannes Bornhold almost 4 years ago

I would narrow down the scope of this problem to only address the "force password change" part.

#2 Updated by Marcin Kuzminski [staff] over 3 years ago

  • Private changed from No to Yes

#3 Updated by Marcin Kuzminski [staff] about 3 years ago

  • Target version set to v4.3

#4 Updated by Marcin Kuzminski [staff] about 3 years ago

  • Target version changed from v4.3 to v4.4

#5 Updated by Marcin Kuzminski [staff] about 3 years ago

  • Private changed from Yes to No

#6 Updated by Daniel D about 3 years ago

Should never allow password changes without entering a current password for the case when a bad party finds a logged in user and can change the password. In fact this should also probably be done to email as well since it can be used to reset the password via 'forgot password' functionality.

#8 Updated by Daniel D about 3 years ago

  • Status changed from New to In Progress

Also available in: Atom PDF