Thread: Clear Passwords
View Single Post
Old 21st March 2007, 12:13
AlArenal AlArenal is offline
Senior Member
Join Date: Feb 2007
Location: Germany
Posts: 104
Thanks: 1
Thanked 5 Times in 5 Posts

I totally agree with Falko. Passwords have to be stored as safe as possible on the server. Everything else compromises security and therefore is not an option at all.

You can think about mechanisms to automatically create new passowords and send them as e-mail with a confirmation link, but that's it. If someone likes to use a common password (which he shouldn't) and cannot remember (How common is it, then?) then he/she will have to change it back afterwards.

It's okay to have the system assist a user if he/she forgot a password (which should not occur anyway) but it's not okay to compromise security, not even as an hidden option in the config file.

What I would like to see is a password field for newly created items that's filled with a relatively secure random password per default. Make it an optional setting, if one Admin doesn't like it and/or let him/her define the rules for passwords like "must contain digits", "must contain special characters", "must be at least x characters long", "must contain upper and lower case", etc.
Reply With Quote