Patch #3858

Force the 'admin' account to change the default password

Added by Ian Wilson over 8 years ago. Updated over 1 year ago.

Status:ClosedStart date:2009-09-13
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Accounts / authentication
Target version:-

Description

It's considered generally good security practice to change the default user to something other than 'admin.' While I'm nowhere close to being a RoR expert (in fact, I think I'm a RoR n00b), this patch forces the default username (admin) to set a password on first login that isn't the password 'admin.'

I'd like someone to look at/review the patch, provide feedback, and, if the feedback is positive, consider inclusion into the development version of Redmine.

Thanks;

Ian

force_admin_password_change.diff Magnifier - Diff file for trunk/dev version. (3.32 KB) Ian Wilson, 2009-09-13 03:35

force_admin_password_change_20150927.diff Magnifier (565 Bytes) Go MAEDA, 2015-09-27 04:13


Related issues

Related to Redmine - Feature #22381: Require password reset on initial setup for default admin... Closed

History

#1 Updated by Ian Wilson over 8 years ago

I should clarify (after re-reading my initial description): This doesn't force the user to change their username, this only forces the admin user to change the password to something other than the word 'admin.'

#2 Updated by Jean-Philippe Lang over 8 years ago

It seems that it redirects to the password change form but does not actually force to change the password.

#3 Updated by Ian Wilson over 8 years ago

Ah, very true -- I didn't think about that. I'll submit an updated diff later that should address this.

#4 Updated by Go MAEDA about 2 years ago

+1 and attaching a new patch.
This can be implemented by adding a migration script, without changing any web application code.

#6 Updated by Go MAEDA almost 2 years ago

  • Target version set to Candidate for next major release

#7 Updated by Go MAEDA over 1 year ago

  • Related to Feature #22381: Require password reset on initial setup for default admin account added

#8 Updated by Jean-Philippe Lang over 1 year ago

  • Status changed from New to Closed
  • Target version deleted (Candidate for next major release)

Patch provided in #22381 committed.

Also available in: Atom PDF