CredComSoc / CreditCoopTech

Credit Coop Tech
Mozilla Public License 2.0
1 stars 1 forks source link

Improvement to password security #311

Closed tfwoodroofMCS closed 8 months ago

tfwoodroofMCS commented 9 months ago

When a user's account is created by an admin, the user receives a welcome email that includes a short and weak-looking password in plain text:

Image

The user is able to log in with this immediately, and there is no prompt to reset the password to something stronger and for which there is no plain-text record.

This could be improved simply by not including a password in the welcome email, but rather instructing the user that their account set-up can be completed by following the password reset flow, which involves them setting a password of their choosing, and which will only be used/stored (by the app at least) in encrypted form. The link included in the email could in fact direct them straight to the password reset page.

EugeneJoe commented 8 months ago

Change sign up flow to redirect to password reset flow.