Closed Bug 572150 Opened 14 years ago Closed 13 years ago

Require Immediate Password Change for New Admin Accounts

Categories

(Websites Graveyard :: drumbeat.org, defect)

Product:
Websites Graveyard
Component:
drumbeat.org
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: mcoates, Unassigned)

Details

(Whiteboard: [infrasec:auth]) 

Issue

A new user receives the initial password to their account via email.  Drumbeat recommends that the user immediately changes their password but does not require it.  As a result it is possible that a user may continue to use the initial password which may be exposed in the email service or have been exposed during clear text email transfer to the user.  


Recommended Remediation

Configure the system such so a new admin account (either by new account creation or granting of admin rights to an existing account) is forced to immediately change their initial password upon first login.
Drupal based version drumbeat.org has been retired. This is not an issue on the current version (we do not send passwords via email).
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
Product: Websites → Websites Graveyard
You need to log in before you can comment on or make changes to this bug.