Patch #3858
closed
Force the 'admin' account to change the default password
0%
Description
It's considered generally good security practice to change the default user to something other than 'admin.' While I'm nowhere close to being a RoR expert (in fact, I think I'm a RoR n00b), this patch forces the default username (admin) to set a password on first login that isn't the password 'admin.'
I'd like someone to look at/review the patch, provide feedback, and, if the feedback is positive, consider inclusion into the development version of Redmine.
Thanks;
Ian
Files
Related issues
Updated by Ian Wilson about 15 years ago
I should clarify (after re-reading my initial description): This doesn't force the user to change their username, this only forces the admin user to change the password to something other than the word 'admin.'
Updated by Jean-Philippe Lang about 15 years ago
It seems that it redirects to the password change form but does not actually force to change the password.
Updated by Ian Wilson about 15 years ago
Ah, very true -- I didn't think about that. I'll submit an updated diff later that should address this.
Updated by Go MAEDA about 9 years ago
+1 and attaching a new patch.
This can be implemented by adding a migration script, without changing any web application code.
Updated by Go MAEDA about 9 years ago
Updated by Go MAEDA almost 9 years ago
- Target version set to Candidate for next major release
Updated by Go MAEDA over 8 years ago
- Related to Feature #22381: Require password reset on initial setup for default admin account added
Updated by Jean-Philippe Lang over 8 years ago
- Status changed from New to Closed
- Target version deleted (
Candidate for next major release)
Patch provided in #22381 committed.