Mahara

Use password check on /admin/users/edit.php

Bug #1625361 reported by Kristina Hoeppner
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
Medium
Unassigned

Bug Description

When you change your password on your personal account settings page or via the force password screen, it goes through a password checker to determine some basic security and length of the password.

These checks are not performed on when changing the password on /admin/users/edit.php as admin.

For example: I can enter the password "mahara" on that screen, but can't use it on /account/index.php because it's deemed too simple.

Revision history for this message
Aaron Wells (u-aaronw) wrote :

I thought this was a design decision. An admin is most likely setting a temporary password for another user, or (in my case) setting up a test password for dev purposes. In those cases, it's more convenient not to have the password restrictions in place.

Although, I'd be happy if we added the password restrictions everywhere, *but* added a config-defaults.php setting to optionally disable them. (Moodle has this. You can put "$CFG->passwordpolicy=0;" in your config.php, and it will disable password restrictions.)

Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

I don't know if it was a design decision or not and can't remember if we discussed it recently. It is handy when setting up test accounts for sure. Sometimes site admins do create passwords on the spot for users that those then don't change. That gets around the policy. And when passwords are sent out, they are best copied and pasted rather than typed.

Adding a policy cfg would be a good option to still make testing easier if we also require any accounts to have a stronger password.

Changed in mahara:
milestone: 16.10.0 → none
Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

This was fixed when the password policy was implemented. An admin must adhere to the same password policy rules as in other places.

Changed in mahara:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.