Require Immediate Password Change for New Admin Accounts

RESOLVED WONTFIX

Status

Websites Graveyard
www.drumbeat.org
--
major
RESOLVED WONTFIX
8 years ago
3 years ago

People

(Reporter: mcoates, Unassigned)

Tracking

Details

(Whiteboard: [infrasec:auth])

Issue

A new user receives the initial password to their account via email.  Drumbeat recommends that the user immediately changes their password but does not require it.  As a result it is possible that a user may continue to use the initial password which may be exposed in the email service or have been exposed during clear text email transfer to the user.  


Recommended Remediation

Configure the system such so a new admin account (either by new account creation or granting of admin rights to an existing account) is forced to immediately change their initial password upon first login.
Drupal based version drumbeat.org has been retired. This is not an issue on the current version (we do not send passwords via email).
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → WONTFIX
Group: websites-security
(Assignee)

Updated

3 years ago
Product: Websites → Websites Graveyard
You need to log in before you can comment on or make changes to this bug.