Open ruKurz opened 6 years ago
Hi @ruKurz
could you please elaborate on why that should be the case?
Cheers Thomas
As far as I know, invalidating initial passwords after a shorter period of time (compared to the period for locking inactive users) helps security. Among other things, because the misuse is not actively detected by the user. If a user account has been created that is not being used, the brute-force attack vector increases slightly (by the number of user accounts that could potentially be attacked).
If you are aware of contradictory recommendations, I would be pleased to have a reference, similar to the one for enforcing password changes.
Hi @ruKurz
I see. To be honest, I don't know about best practice regarding this very topic, yet I would assume, that if
The admin itselfs seems to be no consideration as an attacker because, quite obviously, he could get the password from memory on login.
If a user account has been created that is not being used, the brute-force attack vector increases slightly (by the number of user accounts that could potentially be attacked).
This seems to be true on first thought, yet when I think about it further, I think you have to distinguish between the probability of the whole system having a case of a successful brute-force attack or the probability of one single account getting brute-forced. But then again, I'm not well versed in probability theory so I think I'll refrain from further comments and leave that up to the developers.
If you are aware of contradictory recommendations, I would be pleased to have a reference, similar to the one for enforcing password changes.
No, I am not aware of any best practices in that sector. Sorry.
Cheers Thomas
the password is sent with the initial registration mail it should of course be changed, as it may (or may not) have been exposed to intermediary smtp relays
Encrypting the message content could help here. This solution is then outside of RC.
Probability theory
That's the keyword: Like you, I'm not exactly familiar with it, so it's hard for me to evaluate the probability of occurrence (single account vs. whole system). I would be happy to hear an expert statement about this.
Thank you for your feedback and sharing your thoughts.
Currently, the initial password of local users created by an admin, but never attempting to log on, is valid indefinitely. Initial passwords of users created by an administrator are to lose their validity after a configurable period of time.