View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|12427||Feature requests||[All Projects] User/User groups||public||2017-05-25 15:38||2019-03-13 08:00|
|Target Version||Fixed in Version|
|Summary||12427: Passwords allow for preceeding and trailing spaces|
Not really a bug, but in 2.65.0 Build 170502 (and the latest version/previous versions as far as I can tell), if I manually create a user password, and I accidentally enter a space before or after the password, the password is not trimmed before being inserted into the database. Nor are passwords trimmed at the login page.
Seems to me to be a simple fix to wrap trim around password variable before hashing at login.php and User.php and would be a good practice feature as I'm sure sometimes, like me, one copies and pastes passwords and accidentally the copy picks up a space character.
|Tags||No tags attached.|
I would say it's not an issue.
In my opinion : we must FORCE white space inside a password ;)
Now I see the light of this -- yes, spaces should be allowed (although maybe a warning should be displayed that the password contains spaces)... I just cases where if one cuts and pastes a password, a space gets added and people don't always realize that.
Yes : showing an information about surrounded whitespace is a good idea :) +1
HOWEVER, a big problem is that by default the system sends the password on a password reset request as open text in email... That's not so good.
I know this can be disabled by setting this in config.php (which prevents sending password at time of account creation, and removes the "Forgot your password?" question on the login page:
'display_user_password_in_email' => false
I notice with this set to false, that when I create a user account, the system message on the create user dialog still indicates that the password will be sent to the user via email, even though it won't be: I recommend that message should instead indicate the password WILL NOT be sent if config setting is 'false'.
While obviously a user with permissions to create/edit users can reset user passwords, there are scenarios whereby an organization policy states that end users should be the only ones who know their passwords.
With 'display_user_password_in_email' => false, the user has no way to reset their password. This could be resolved with a single user password reset link instead of sending passwords in emails. Some of this logic likely already exists, since there is the config setting for use_one_time_passwords (but it is designed for external systems that create accounts in LS -- maybe this can be extended to the core system...
Or maybe there are other great ways to prevent passwords being sent by email, but still allow users to request password resets (like a password reset link -- instead of sending the password in the email).
And on top of all that, if 2FA using Google Authenticator was a feature that could be enabled on all user accounts, this would give end-users the option to apply an additional layer of protection on their user accounts.
The real fix is :
Yes, this would be a good approach to start with.
But I still get the standard login email...
Any thoughts what would it take to integrate the link with onetime password into LS?
One day work (maybe more), and only in 4.X
|2017-05-25 15:38||blocka||New Issue|
||Note Added: 43833|
|2019-03-12 15:18||DenisChenu||Note Added: 50922|
|2019-03-12 15:21||blocka||Note Added: 50923|
|2019-03-12 15:57||DenisChenu||Note Added: 50927|
|2019-03-12 16:29||blocka||Note Added: 50928|
|2019-03-12 17:39||DenisChenu||Relationship added||related to 14049|
|2019-03-12 17:40||DenisChenu||Note Added: 50930|
|2019-03-12 18:05||blocka||Note Added: 50934|
|2019-03-13 08:00||DenisChenu||Note Added: 50937|