Use password check on /admin/users/edit.php
Bug #1625361 reported by
Kristina Hoeppner
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Medium
|
Unassigned |
Bug Description
When you change your password on your personal account settings page or via the force password screen, it goes through a password checker to determine some basic security and length of the password.
These checks are not performed on when changing the password on /admin/
For example: I can enter the password "mahara" on that screen, but can't use it on /account/index.php because it's deemed too simple.
To post a comment you must log in.
I thought this was a design decision. An admin is most likely setting a temporary password for another user, or (in my case) setting up a test password for dev purposes. In those cases, it's more convenient not to have the password restrictions in place.
Although, I'd be happy if we added the password restrictions everywhere, *but* added a config-defaults.php setting to optionally disable them. (Moodle has this. You can put "$CFG-> passwordpolicy= 0;" in your config.php, and it will disable password restrictions.)