Feature #14711
closed
Issue a warning when a BE user has a weak password (e.g. the same as the username)
0%
Description
Annoy user with a warning so that she changes it to something different than the login.
Make it big and red like the warnings for install pwd, syskey and admin password.
(issue imported from #M1047)
Files
Updated by Sebastian Kurfuerst over 19 years ago
It would make sense to introduce some other checks as well, an integration with cracklib could be done, too. I think the core should provide maybe just checking if user/pass are identical, and everything else should be provided by an extension - so a hook might be needed there, if we can't use process_datamap-hooks.
Updated by Martin Kutschker over 19 years ago
The password check can be done at login time as you simply throw the login into the password-hashing function. If it's identical to the current password hash, then login and password are identical.
Using cracklib, etc makes only sense at the time you set the password. This is alos fine, but covers something different. This is about a warning that works like mentioned security warnings, ie at logon time.
If you want password checking at password change time please file a new bug.
Updated by Sebastian Kurfuerst over 19 years ago
The attached patch implements the wanted behavior. Please test if it works.
What do others think, should this become part of the core?
Updated by Ingo Renner over 19 years ago
should this become part of the core?
yes please!
Updated by Michael Scharkow over 19 years ago
Although the issue is clear and the fix not so difficult, I'm not sure I agree to the general policy of issuing warnings for trivial passwords. What about warnings if the password is qwertz or 12345, etc.? Is it really our issue to educate users about choosing the right password?
I'd clearly vote for a hook-only solution...
Updated by Ingo Renner over 19 years ago
a hook could be an additional nice to have feature, but I think we should at least urge the users to change their password to something different then the default or the password == username case
Updated by Karsten Dambekalns over 19 years ago
Adding more and more checks should be avoided. If we have too many wanrings, people tend to ignore them. And having weak passwords is something that probably should be "educated away" from the users in a different way.
The existing checks deal with default passwords that are shipped with TYPO3, any self-chosen, weak password isn't. So this is not our business, strictly spoken.
For those cases a hook to integrate e.g. cracklib is better.
Updated by Michael Stucki over 19 years ago
I agree with Karsten. Avoid adding more and more "security checks" but write a hook instead.
Updated by Karsten Dambekalns about 19 years ago
I'll look into adding a hook, as it seems we agree on this being the best way to do this.
Updated by Michael Stucki almost 19 years ago
Should be fixed before 4.0 I think...
Updated by Chris topher over 14 years ago
We already have a check for the default user admin with defazult password integrated in the about module and the reports module I think.
But what we could add would be a nice bar which changes its color from red over yellow to green when entering the password.
Updated by Mathias Schreiber almost 10 years ago
- Description updated (diff)
- Status changed from New to Closed
- Target version deleted (
0)
dupe