Open lollett opened 1 year ago
multiOTP
commented
1 year ago Hello,
It's of course always possible to quickly know the default username and password, and of course for an open source project :-). Security through obscurity is never a good idea.
Anyway, beside that, we agree that we can remove the default username / password if the default password has been changed.
This will be done in a next release.
Thx for the feedback
Regards,
multiOTP
commented
1 year ago Hello, This has been changed in release 5.9.5.0 and further. Regards,
lollett
commented
7 months ago The show default credentials until changed functionality doesn't seem to be working.
i.e. Its not showing admin and 1234 on a clean windows install of 5.9.7.1
multiOTP
commented
7 months ago Hello, With a fresh install, the multiotp.ini configuration file is not created before calling the page for the first time. If you do a "SHIFT+RELOAD", the default credentials are displayed. We will try to fix that starting with version 5.9.7.2 Regards,
It's easy to manually remove default credential details (example below) from webpage multiotp.server.php but after upgrades it's obviously overwritten:
Login Username: admin (default is admin) User NOT authenticated Password: (default is 1234)
In line with best practice password policies (don't disclose default username, password, etc. )- wouldn't it be nice to hide this information after the default admin password has been changed?
Example: Login Username: [blank and no additional text] Password: [blank and no additional text]