Project

General

Profile

Actions

Patch #3858

closed

Force the 'admin' account to change the default password

Added by Ian Wilson over 14 years ago. Updated almost 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Accounts / authentication
Target version:
-
Start date:
2009-09-13
Due date:
% Done:

0%

Estimated time:

Description

It's considered generally good security practice to change the default user to something other than 'admin.' While I'm nowhere close to being a RoR expert (in fact, I think I'm a RoR n00b), this patch forces the default username (admin) to set a password on first login that isn't the password 'admin.'

I'd like someone to look at/review the patch, provide feedback, and, if the feedback is positive, consider inclusion into the development version of Redmine.

Thanks;

Ian


Files

force_admin_password_change.diff (3.32 KB) force_admin_password_change.diff Diff file for trunk/dev version. Ian Wilson, 2009-09-13 03:35
force_admin_password_change_20150927.diff (565 Bytes) force_admin_password_change_20150927.diff Go MAEDA, 2015-09-27 04:13

Related issues

Related to Redmine - Feature #22381: Require password reset on initial setup for default admin accountClosedJean-Philippe Lang

Actions
Actions #1

Updated by Ian Wilson over 14 years ago

I should clarify (after re-reading my initial description): This doesn't force the user to change their username, this only forces the admin user to change the password to something other than the word 'admin.'

Actions #2

Updated by Jean-Philippe Lang over 14 years ago

It seems that it redirects to the password change form but does not actually force to change the password.

Actions #3

Updated by Ian Wilson over 14 years ago

Ah, very true -- I didn't think about that. I'll submit an updated diff later that should address this.

Actions #4

Updated by Go MAEDA over 8 years ago

+1 and attaching a new patch.
This can be implemented by adding a migration script, without changing any web application code.

Actions #6

Updated by Go MAEDA about 8 years ago

  • Target version set to Candidate for next major release
Actions #7

Updated by Go MAEDA almost 8 years ago

  • Related to Feature #22381: Require password reset on initial setup for default admin account added
Actions #8

Updated by Jean-Philippe Lang almost 8 years ago

  • Status changed from New to Closed
  • Target version deleted (Candidate for next major release)

Patch provided in #22381 committed.

Actions

Also available in: Atom PDF