administrator/index.php?option=com_config&view=component&component=com_users
)These values are faaaar away from being secure. J4 gives us the possibility to define a little bit more secure default settings for newly created accounts.
Suggestions please if accepted.
Labels |
Added:
?
|
Labels |
Added:
?
|
Only new users or users with a flag "Require Password Reset" will be forced to respect theses settings. Existing passwords are not affected. I haven't tested that with J4 but in J3 it's like that.
BTW: If an administrator creates a new user account (back-end) without entering a password these settings are also ignored (hard coded length of new random password). Maybe that should be also lengthened a bit(?)
If the settings are ignored then that is a bug
If an administrator creates a new user account (back-end) without entering a password these settings are also ignored
Just to confirm this behavior in J4:
Status | New | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2019-02-15 21:17:36 |
Closed_By | ⇒ | ReLater |
IIRC (and I could be wrong) the reason for the current default values was because of how to handle existing users who created passwords before any restrictions were created