Hello, > On 16 Nov 2016, at 21:22, Anthony King <[email protected]> wrote: > Sending a link to set a password isn't much better. > The cardinal rule of passwords is “you must be the only person who knows your password”. This means never writing it down anywhere, except in a proper password manager, and never telling it to anyone, *even* your IT staff — to fight social engineering attacks.
Sending a password in clear over email means the IT staff is okay with knowing the user's password. Disregarding their own guidelines sets a poor example and reduces their credibility about password management in general. Of course, on most Django websites, someone who can create a staff user can also change the user’s password — it’s rare to give the “create user” but not the “change user” permission. I’m not making a technical argument here, I’m thinking of IT literacy and educating users. > Perhaps a way to force a password change on login would be better, which has > more use elsewhere, such as being able to periodically force password changes Forcing a password change on login is another interesting idea to solve this problem. That’s what ActiveDirectory has to do, because OSes don’t have the same password reset possibilities that web applications have. However I think that would mean solving the general problem of password rotation. Django solved password validation recently; it could solve password rotation next. (Note that password rotation is controversial because it forces users to choose weak passwords with a basic rotation scheme like putting month number at the end, instead of storing strong random password in a password manager. Trade-offs.) I still think a simple solution hooking into the current password reset mechanism, just with a different email template, could be a quick security win for a lot of Django sites. I’d encourage people to use it if it existed. Best regards, -- Aymeric. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/76AE3F1E-6C00-4E4E-86A7-4E1374FF20AF%40polytechnique.org. For more options, visit https://groups.google.com/d/optout.
