Feature #2039

Generate strong passwords

Added by Pierre Yager about 9 years ago. Updated about 5 years ago.

Status:NewStart date:2008-10-16
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Accounts / authentication
Target version:-
Resolution:

Description

Hi,

I use redmine at work to manage my "commercial" products. As my server is public, I would like to ensure users have strong passwords.

I feel concerned about the quality of the user's passwords.

I would be useful is redmine can generate such strong passwords when a new user signs-in and send it back its password by email. No giving the user choice of it's password. No letting him change it after. If the user forget its password, lost the email or didn't register it in it's browser passwords manager, a simple link will send him a new password by email.


Related issues

Related to Redmine - Feature #3872: New user password - better functionality Closed 2009-09-15

History

#1 Updated by Eric Davis about 9 years ago

Pierre Yager wrote:

I use redmine at work to manage my "commercial" products. As my server is public, I would like to ensure users have strong passwords.

I feel concerned about the quality of the user's passwords.

I would be useful is redmine can generate such strong passwords when a new user signs-in and send it back its password by email.

Wouldn't sending the strong password via email defeat the purpose of having a strong password, since email is sent as plaintext?

I've seen some systems have a password strength meter that checks how strong a password is as the user enters it. Could this work if an administrator can set an option like "password must be at least highly secure"? (other options could be: no security checks, low security, medium security)

#2 Updated by Pierre Yager about 9 years ago

I would be useful is redmine can generate such strong passwords when a new user signs-in and send it back its password by email.

Wouldn't sending the strong password via email defeat the purpose of having a strong password, since email is sent as plaintext?

I'm pretty sure that System Generated Passwords, even when mailed in plain text, are generally safer than bad user made (or worst too much reused) passwords.

I've seen some systems have a password strength meter that checks how strong a password is as the user enters it. Could this work if an administrator can set an option like "password must be at least highly secure"? (other options could be: no security checks, low security, medium security)

Sure, that would be a very nice improvement. As I'm not able to do this by myself I will be happy with any kind of improvement that will be done in this area. I just though that using something like pwgen or any ruby implementation would be simpler than writing a password-strenght-o-meter.

#3 Updated by Toshi MARUYAMA over 6 years ago

  • Category set to Accounts / authentication

#4 Updated by Daniel Felix about 5 years ago

Well, it would be quite useful to add a button "generate password" in the userregistration (administration -> users).

This way, the admin has the abbility to generate secure passwords, without knowing the user password.

Also available in: Atom PDF