Project

General

Profile

Actions

Feature #2039

open

Generate strong passwords

Added by Pierre Yager about 16 years ago. Updated about 12 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Accounts / authentication
Target version:
-
Start date:
2008-10-16
Due date:
% Done:

0%

Estimated time:
Resolution:

Description

Hi,

I use redmine at work to manage my "commercial" products. As my server is public, I would like to ensure users have strong passwords.

I feel concerned about the quality of the user's passwords.

I would be useful is redmine can generate such strong passwords when a new user signs-in and send it back its password by email. No giving the user choice of it's password. No letting him change it after. If the user forget its password, lost the email or didn't register it in it's browser passwords manager, a simple link will send him a new password by email.


Related issues

Related to Redmine - Feature #3872: New user password - better functionalityClosedJean-Philippe Lang2009-09-15

Actions
Actions #1

Updated by Eric Davis about 16 years ago

Pierre Yager wrote:

I use redmine at work to manage my "commercial" products. As my server is public, I would like to ensure users have strong passwords.

I feel concerned about the quality of the user's passwords.

I would be useful is redmine can generate such strong passwords when a new user signs-in and send it back its password by email.

Wouldn't sending the strong password via email defeat the purpose of having a strong password, since email is sent as plaintext?

I've seen some systems have a password strength meter that checks how strong a password is as the user enters it. Could this work if an administrator can set an option like "password must be at least highly secure"? (other options could be: no security checks, low security, medium security)

Actions #2

Updated by Pierre Yager about 16 years ago

I would be useful is redmine can generate such strong passwords when a new user signs-in and send it back its password by email.

Wouldn't sending the strong password via email defeat the purpose of having a strong password, since email is sent as plaintext?

I'm pretty sure that System Generated Passwords, even when mailed in plain text, are generally safer than bad user made (or worst too much reused) passwords.

I've seen some systems have a password strength meter that checks how strong a password is as the user enters it. Could this work if an administrator can set an option like "password must be at least highly secure"? (other options could be: no security checks, low security, medium security)

Sure, that would be a very nice improvement. As I'm not able to do this by myself I will be happy with any kind of improvement that will be done in this area. I just though that using something like pwgen or any ruby implementation would be simpler than writing a password-strenght-o-meter.

Actions #3

Updated by Toshi MARUYAMA over 13 years ago

  • Category set to Accounts / authentication
Actions #4

Updated by Daniel Felix about 12 years ago

Well, it would be quite useful to add a button "generate password" in the userregistration (administration -> users).

This way, the admin has the abbility to generate secure passwords, without knowing the user password.

Actions

Also available in: Atom PDF