Hi,
I have spotted this potential security issue and want to confirm if it is intentional.
If you set the Password Security Policy in Environment Settings (as described here: http://mydbr.com/doc/?security.html), these password rules ONLY apply to a user changing their own password.
They do not seem to apply or be enforced when an Admin sets or resets a user's password from the Users page.
This seems like a security flaw bug to me.
Or am I missing something?
Thanks,
Justin.
Enforce Password Rules does not apply to Admin
(8 posts) (2 voices)-
-
It is intentional. Usually admin does not need to change user's passwords (other than perhaps setting initial password which user needs to change in first login).
--
myDBR Team -
Thanks for the reply.
Fair enough, although it is only optional to force the user to change their password on first login (and this flag is not set by default), so that could easily slip through the net.
Our security consultant has flagged this as a risk so was wondering if there was any reason why it wouldn't be a good idea to enforce this policy for admin too?
Thanks,
Justin. -
We can add the password rules in user editing also, no problem.
--
myDBR Team -
If you agree that this seems like a good idea then that would be great. Thanks.
Would that be part of a general release or an optional extra and how long might it take to release the update?
Thanks for your help,
Justin. -
We can add it to next build. Should not take that long.
--
myDBR Team -
Thanks.
We are on a MySQL paid licence and this query was raised by our security consultant who also identified 3 other issues which are of a more technical nature and I would rather not publicise on these forums. Is there a way to send you or the development team a private message to ask how to address them please (or at least draw them to your attention as security risks)?
Thanks,
Justin. -
Just use the support email address. We are more than happy to receive any feedback.
--
myDBR Team
Reply
You must log in to post.