public
/
pyceo
23
1
Fork 3
Code Issues 26 Pull Requests 5 Projects Releases 1 Wiki Activity

Allow new members to set their password in CEO #48

New Issue
Closed
opened 2022-03-28 01:01:52 -04:00 by n3parikh · 4 comments
n3parikh commented 2022-03-28 01:01:52 -04:00
Contributor
Copy Link

In the old version of CEO, the new member could choose their password on the final screen, rather than being given a random temporary passowrd. We should allow that here too (maybe with an option to generate a random temporary password if sign up is being done remotely, but I am not sure if we will continue to have remote sign ups?).

In the old version of CEO, the new member could choose their password on the final screen, rather than being given a random temporary passowrd. We should allow that here too (maybe with an option to generate a random temporary password if sign up is being done remotely, but I am not sure if we will continue to have remote sign ups?).
merenber commented 2022-05-22 14:19:57 -04:00
Owner
Copy Link

I'm willing to debate this more, but I'm going to deny this request for now. My reasoning is that most people, when asked to create a password on the spot, will create one which is easy to remember, which is most likely going to be weak. In fact, they will probably choose an existing password which they are using for another account, which is also not a good security practice.

I think it is a good idea to generate a random password (which the user only needs to type once, the first time they login) and ask the user to change it later once they are at the comfort of their own computer. At their own computer, they are not under pressure to create a password quickly, and they may already have some password manager installed which they would prefer to use.

There is another reason why I prefer generating random passwords during signup - many CSC users will never login to the general-use machines even once. If they create a weak password during signup, and then never use it, then that is a security vulnerability, because they will never get the Kerberos prompt to change their password. This threat isn't as big as it used to be thanks to 2FA, but it's best to prevent this scenario from happening in the first place.

I'm willing to debate this more, but I'm going to deny this request for now. My reasoning is that most people, when asked to create a password on the spot, will create one which is easy to remember, which is most likely going to be weak. In fact, they will probably choose an existing password which they are using for another account, which is also not a good security practice. I think it is a good idea to generate a random password (which the user only needs to type once, the first time they login) and ask the user to change it later once they are at the comfort of their own computer. At their own computer, they are not under pressure to create a password quickly, and they may already have some password manager installed which they would prefer to use. There is another reason why I prefer generating random passwords during signup - many CSC users will never login to the general-use machines even once. If they create a weak password during signup, and then never use it, then that is a security vulnerability, because they will never get the Kerberos prompt to change their password. This threat isn't as big as it used to be thanks to 2FA, but it's best to prevent this scenario from happening in the first place.
n3parikh commented 2022-05-23 00:48:56 -04:00
Author
Contributor
Copy Link

I think it would still be nice if people could set their passwords on signups, but these are definetely valid points, so I agree overall, let's keep it as is for now.

Just to confirm, when a new member signups, they are emailed their temporary password automatically right?

I think it would still be nice if people could set their passwords on signups, but these are definetely valid points, so I agree overall, let's keep it as is for now. Just to confirm, when a new member signups, they are emailed their temporary password automatically right?
merenber commented 2022-05-23 10:52:09 -04:00
Owner
Copy Link

Just to confirm, when a new member signups, they are emailed their temporary password automatically right?

Yes, ceod includes the temporary password in the welcome email.

> Just to confirm, when a new member signups, they are emailed their temporary password automatically right? Yes, ceod includes the temporary password in the welcome email.
merenber commented 2022-06-02 02:08:20 -04:00
Owner
Copy Link

Closing for now.

Closing for now.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
124-fix-regression
new-positions
54-newsletter
WIP-66
65-isClubRep-fix
83-sqlfstrings
60-group-lookup
63-fix-ci
1.0.22
v0.5.1
v0.4.11
v0.4.10
v0.4.9
v0.4.8
v0.4.7
v0.4.6
v0.4.5
Labels
Clear labels   
priority
high
High priority

  
priority
low
Low priority

  
priority
medium
Medium priority

  
priority
very high
Very high priority

  
BUG

   
Feature

   
High Priority

   
Low Priority

   
Medium Priority
No Label
priority
high
priority
low
priority
medium
priority
very high
BUG
Feature
High Priority
Low Priority
Medium Priority
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: public/pyceo#48
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?