Open vasyugan opened 5 years ago
@vasyugan arguably =)
If the user is completely free to choose any password, don't you think, many of them will go for something like "password", "qwerty" or "12345"?
Also, for your information, here is what I just go from a colleague, for whom I set up an account:
Hmmm - just tried to create a password & whatever I do it won't let me create (keeps giving me various reasons). Going to give up for now!
When I asked him for details, he responded:
I got mixed messages - got told they didn't match (even though I was copying & pasting), that the password wasn't allowed - I tried all sorts of passwords with plenty of different lengths, mixed capitals, hashtags, numbers etc... so sure it wasn't a problem with being insecure. Just would not work.
Since I wasn't present when he did that (we are in different countries), I cannot confirm what were his exact steps. Now ended up setting a password for him.
Reported here: https://github.com/huridocs/uwazi/issues/1997
We recently added a bunch of end-point validations. Despite all the automated testing, some of the validations slept through the cracks.
@txau great. I guess the user should get some feedback then, when a password is rejected, so that s/he understands the reason and can change it accordingly.
@vasyugan in this particular case there is no password policy. The reason why its being rejected is because the end point just won't let any user password through.
At least a strength meter for user passwords.
A new user is expected to set their own password, but cannot find any place for the administrator to set a password policy (minimum number of characters, requirements for mixed case, digits etc). This is a security issue in my view.