Allow new members to set their password in CEO #48

Closed
opened 10 months ago by n3parikh · 4 comments
Collaborator

In the old version of CEO, the new member could choose their password on the final screen, rather than being given a random temporary passowrd. We should allow that here too (maybe with an option to generate a random temporary password if sign up is being done remotely, but I am not sure if we will continue to have remote sign ups?).

In the old version of CEO, the new member could choose their password on the final screen, rather than being given a random temporary passowrd. We should allow that here too (maybe with an option to generate a random temporary password if sign up is being done remotely, but I am not sure if we will continue to have remote sign ups?).
Owner

I'm willing to debate this more, but I'm going to deny this request for now. My reasoning is that most people, when asked to create a password on the spot, will create one which is easy to remember, which is most likely going to be weak. In fact, they will probably choose an existing password which they are using for another account, which is also not a good security practice.

I think it is a good idea to generate a random password (which the user only needs to type once, the first time they login) and ask the user to change it later once they are at the comfort of their own computer. At their own computer, they are not under pressure to create a password quickly, and they may already have some password manager installed which they would prefer to use.

There is another reason why I prefer generating random passwords during signup - many CSC users will never login to the general-use machines even once. If they create a weak password during signup, and then never use it, then that is a security vulnerability, because they will never get the Kerberos prompt to change their password. This threat isn't as big as it used to be thanks to 2FA, but it's best to prevent this scenario from happening in the first place.

I'm willing to debate this more, but I'm going to deny this request for now. My reasoning is that most people, when asked to create a password on the spot, will create one which is easy to remember, which is most likely going to be weak. In fact, they will probably choose an existing password which they are using for another account, which is also not a good security practice. I think it is a good idea to generate a random password (which the user only needs to type once, the first time they login) and ask the user to change it later once they are at the comfort of their own computer. At their own computer, they are not under pressure to create a password quickly, and they may already have some password manager installed which they would prefer to use. There is another reason why I prefer generating random passwords during signup - many CSC users will never login to the general-use machines even once. If they create a weak password during signup, and then never use it, then that is a security vulnerability, because they will never get the Kerberos prompt to change their password. This threat isn't as big as it used to be thanks to 2FA, but it's best to prevent this scenario from happening in the first place.
Poster
Collaborator

I think it would still be nice if people could set their passwords on signups, but these are definetely valid points, so I agree overall, let's keep it as is for now.

Just to confirm, when a new member signups, they are emailed their temporary password automatically right?

I think it would still be nice if people could set their passwords on signups, but these are definetely valid points, so I agree overall, let's keep it as is for now. Just to confirm, when a new member signups, they are emailed their temporary password automatically right?
Owner

Just to confirm, when a new member signups, they are emailed their temporary password automatically right?

Yes, ceod includes the temporary password in the welcome email.

> Just to confirm, when a new member signups, they are emailed their temporary password automatically right? Yes, ceod includes the temporary password in the welcome email.
Owner

Closing for now.

Closing for now.
merenber closed this issue 8 months ago
Sign in to join this conversation.
No Label
No Milestone
No project
No Assignees
2 Participants
Notifications
Due Date

No due date set.

Dependencies

No dependencies set.

Reference: public/pyceo#48
Loading…
There is no content yet.