It sounds like you speaking of Ofbiz as a finished product, in which case I agree with you first paragraph. However Ofbiz is not a finished product and is meant for Consultants to setup for end users. The consultant should know this information and make the application they setup for their client fully secure.
Confusing about sa...@domain.com. If she is sending emails with this email address, through ofbiz then it is gotten from the Primary email address of the contactmech not the login. and ofbiz recieved those emails and puts them in her party communications. the login should not be sa...@domain.com since the email would be sent to her account in ofbiz and she could not access it. it should be sa...@otherdomain.com like yahoo or qmail.com. This would reduce someone from knowing her login. There are some condition that allow not sensing or resetting the password. They are in the Security.properties. look at the code in LoginEvents.emailPassword() Mike sent the following on 8/3/2011 11:07 PM: > Sorry for the late response (vacation). I understand what you saying > that it is not a good idea to use generic or group accounts as much as > possible.. However, it should not be so easy for users of an ERP to > shoot themselves in the foot. This sounds like a gaping security hole, > or at least a major security annoyance. > > For instance. You have a group of folks who answer phones and provide > customer support. They read and reply to emails to multiple > customers. When they email customers, they use their own accounts, > like sa...@domain.com. Let's disrupt sally (or admin!) by simply > going to the ecommerce page, enter sally and click forget password. > Does anyone think this is OK? I don't think it should be necessary to > change the admin login, or even use unfriendly user names. > > > On Sat, Jul 30, 2011 at 11:39 AM, Carsten Schinzer > <c.schin...@googlemail.com> wrote: >> From a data security perspective your statement about 'Any organization >> would have generic accounts' is dangerous, IMHO. >> >> If under stricter data security regulations, you would first of all want >> traceability of who did what in the system, hence you want individual >> accounts. And initiatives like the Payment Card Industry Data Security >> Standards are addressing exactly those kind of issues and enforcing such >> policies. >> >> So beware when using 'group accounts' over individual logins. They may be >> easy to use for everyone but then beware that it's also to hack them (who >> would use a cryptic password on a group account .... ?) or be nasty with >> enforced password resets. >> >> I tend to use either email or even generic xAdmin01 or such which are >> abstracted. On production OFBiz systems, I do not use any of the demo >> accounts as well. >> >> Then BJ's point perfectly kicks in that user names are no longer guessable >> and thus your pain would go away. >> >> Just my 0.02 EUR. >> Greets >> >> >> Carsten >> >> >> Othrwise >> >> 2011/7/30 Mike <mz4whee...@gmail.com> >> >>> There must be something more. Any organization would have generic >>> logins, like "sales", or it would be easy to guess employee logins >>> from the "about us" page. It makes sense that the password reset >>> should be intended ONLY for customers, not (any) system-type login. >>> >>> I would think that the password reset feature should be limited to >>> certain roles, like "Customer". >>> >>> On Sat, Jul 30, 2011 at 4:00 AM, BJ Freeman <bjf...@free-man.net> wrote: >>>> for production systems do not use "admin" as a lognin. >>>> it is never created. >>>> >>>> Mike sent the following on 7/30/2011 12:10 AM: >>>>> Why is it that *any* user can, using the password reset or "Forgot >>>>> Your Password" can actually force "admin" to change the password? Is >>>>> there a way to turn this off? >>>>> >>>> >>> >> >> >> >> -- >> >> Best >> >> Carsten Schinzer >> >> Waisenhausstr. 53a >> 80637 München >> Germany >> >
