myDBR Forums » Feature requests & improvement ideas

Enforce Password Rules does not apply to Admin

(8 posts) (2 voices)

  1. jjr, Member

    Hi,
    I have spotted this potential security issue and want to confirm if it is intentional.
    If you set the Password Security Policy in Environment Settings (as described here: http://mydbr.com/doc/?security.html), these password rules ONLY apply to a user changing their own password.
    They do not seem to apply or be enforced when an Admin sets or resets a user's password from the Users page.
    This seems like a security flaw bug to me.
    Or am I missing something?
    Thanks,
    Justin.

  2. myDBR Team, Key Master

    It is intentional. Usually admin does not need to change user's passwords (other than perhaps setting initial password which user needs to change in first login).

    --
    myDBR Team

  3. jjr, Member

    Thanks for the reply.
    Fair enough, although it is only optional to force the user to change their password on first login (and this flag is not set by default), so that could easily slip through the net.
    Our security consultant has flagged this as a risk so was wondering if there was any reason why it wouldn't be a good idea to enforce this policy for admin too?
    Thanks,
    Justin.

  4. myDBR Team, Key Master

    We can add the password rules in user editing also, no problem.

    --
    myDBR Team

  5. jjr, Member

    If you agree that this seems like a good idea then that would be great. Thanks.
    Would that be part of a general release or an optional extra and how long might it take to release the update?
    Thanks for your help,
    Justin.

  6. myDBR Team, Key Master

    We can add it to next build. Should not take that long.

    --
    myDBR Team

  7. jjr, Member

    Thanks.
    We are on a MySQL paid licence and this query was raised by our security consultant who also identified 3 other issues which are of a more technical nature and I would rather not publicise on these forums. Is there a way to send you or the development team a private message to ask how to address them please (or at least draw them to your attention as security risks)?
    Thanks,
    Justin.

  8. myDBR Team, Key Master

    Just use the support email address. We are more than happy to receive any feedback.

    --
    myDBR Team


Reply

You must log in to post.