txau
commented
5 years ago @vasyugan arguably =)
Open vasyugan opened 5 years ago
txau
commented
5 years ago @vasyugan arguably =)
vasyugan
commented
5 years ago If the user is completely free to choose any password, don't you think, many of them will go for something like "password", "qwerty" or "12345"?
vasyugan
commented
5 years ago Also, for your information, here is what I just go from a colleague, for whom I set up an account:
Hmmm - just tried to create a password & whatever I do it won't let me create (keeps giving me various reasons). Going to give up for now!
When I asked him for details, he responded:
I got mixed messages - got told they didn't match (even though I was copying & pasting), that the password wasn't allowed - I tried all sorts of passwords with plenty of different lengths, mixed capitals, hashtags, numbers etc... so sure it wasn't a problem with being insecure. Just would not work.
Since I wasn't present when he did that (we are in different countries), I cannot confirm what were his exact steps. Now ended up setting a password for him.
txau
commented
5 years ago Reported here: https://github.com/huridocs/uwazi/issues/1997
We recently added a bunch of end-point validations. Despite all the automated testing, some of the validations slept through the cracks.
vasyugan
commented
5 years ago @txau great. I guess the user should get some feedback then, when a password is rejected, so that s/he understands the reason and can change it accordingly.
txau
commented
5 years ago @vasyugan in this particular case there is no password policy. The reason why its being rejected is because the end point just won't let any user password through.
txau
commented
2 years ago At least a strength meter for user passwords.
A new user is expected to set their own password, but cannot find any place for the administrator to set a password policy (minimum number of characters, requirements for mixed case, digits etc). This is a security issue in my view.