[OPEN-ILS-GENERAL] Password reset uses phone number fails: EG2.2
Thomas Berezansky
tsbere at mvlc.org
Fri Aug 3 09:50:20 EDT 2012
All of the above.
Personally, I disagree with the setting existing to begin with, and
think that the initial passwords should be much more complicated than
just digits.
Thomas Berezansky
Merrimack Valley Library Consortium
Quoting Bob Wicksall <bwicksall at pls-net.org>:
> <Snip>
>
>> Because resetting someone's password to something that is basically
>> public information, their phone number, is asking for accounts to be
>> hijacked.
>
> If that is the case you could argue that the setting shouldn't exist
> in the first place. What is worse? A database full of users who
> have never changed their password from the default phone number or a
> few manually reset passwords?
>
> Bob Wicksall
> Systems Administrator
>
> Pioneer Library System
> 2557 State Rt. 21
> Canandaigua, New York 14424
>
>
> ----- Original Message -----
>> From: "Jason Stephenson" <jstephenson at mvlc.org>
>> To: open-ils-general at list.georgialibraries.org
>> Sent: Friday, August 3, 2012 9:27:00 AM
>> Subject: Re: [OPEN-ILS-GENERAL] Password reset uses phone number
>> fails: EG2.2
>>
>> Quoting Thomas Berezansky <tsbere at mvlc.org>:
>>
>> > All future resets would still be random.
>>
>> Because resetting someone's password to something that is basically
>> public information, their phone number, is asking for accounts to be
>> hijacked.
>>
>>
>> --
>> Jason Stephenson
>> Assistant Director for Technology Services
>> Merrimack Valley Library Consortium
>> Chief Bug Wrangler, Evergreen ILS
>>
>
More information about the Open-ils-general
mailing list